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Abstract 

The Paige and Tarjan algorithm (PT) for computing the coarsest refinement of a state partition which 
is a bisimulation on some Rripke structure is well known. It is also well known in model checking 
that bisimulation is equivalent to strong preservation of CTL or, equivalently, of Hennessy-Milner logic. 
Drawing on these observations, we analyze the basic steps of the PT algorithm from an abstract interpre- 
tation perspective, which allows us to reason on strong preservation in the context of generic inductively 
defined (temporal) languages and of possibly non-partitioning abstract models specified by abstract in- 
terpretation. This leads us to design a generalized Paige-Tarjan algorithm, called GPT, for computing 
the minimal refinement of an abstract interpretation-based model that strongly preserves some given lan- 
guage. It turns out that PT is a straight instance of GPT on the domain of state partitions for the case of 
strong preservation of Hennessy-Milner logic. We provide a number of examples showing that GPT is 
of general use. We first show how a well-known efficient algorithm for computing stuttering equivalence 
can be viewed as a simple instance of GPT. We then instantiate GPT in order to design a new efficient 
algorithm for computing simulation equivalence that is competitive with the best available algorithms. 
Finally, we show how GPT allows to compute new strongly preserving abstract models by providing an 
efficient algorithm that computes the coarsest refinement of a given partition that strongly preserves the 
language generated by the reachability operator. 

Keywords: Abstract interpretation, abstract model checking, strong preservation, Paige-Tarjan algorithm, 
refinement algorithm. 

1 Introduction 

Motivations. The Paige and Tarjan l22l algorithm — in the paper denoted by PT — for efficiently com- 
puting the coarsest refinement of a given partition which is stable for a given state transition relation is well 
known. Its importance stems from the fact that PT actually computes bisimulation equivalence, because 
a partition P of a state space S is stable for a transition relation -> on E if and only if P is a bisimula- 
tion equivalence on the transition system (£, ->). In particular, PT is widely used in model checking for 
reducing the state space of a Kripke structure JC because the quotient of K, w.r.t. bisimulation equivalence 
strongly preserves temporal languages like CTL*, CTL and the whole /i-calculus [|2]|4]. This means that 
logical specifications can be checked on the abstract quotient model of K. with no loss of precision. Paige 
and Tarjan first present the basic 0(|— >||S|)-time PT algorithm and then exploit a computational loga- 
rithmic improvement in order to design a 0(|-»| log |S|)-time algorithm, which is usually referred to as 
Paige-Tarjan algorithm. It is important to remark that the logarithmic Paige-Tarjan algorithm is derived 
as an algorithmic refinement of PT that does not affect the correctness of the procedure which is instead 
proved for the basic PT algorithm. As shown in |24l . it turns out that state partitions can be viewed as 
domains in abstract interpretation and strong preservation can be cast as completeness in abstract inter- 
pretation. Thus, our first aim was to make use of an "abstract interpretation eye" to understand why PT is 
a correct procedure for computing strongly preserving partitions. 
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The PT Algorithm. Let us recall how PT works. Let pre^(X) = {s G E | 3x G X. s->.t} denote 
the usual predecessor transformer on p(E). A partition P € Part(E) is PT stable when for any block 
B G P, if B' G P then either P C pre^(S') or P n pre^(P') = 0. For a given subset S C E, 
PTsplit(S', P) denotes the partition obtained from P by replacing each block P G P with the blocks 
P n pre_,(iS) and P \ pre^(5), where we also allow no splitting, that is, PTsplit(S', P) = P. When 
P 7^ PTsplit(5, P) the subset 5 is called a splitter for P. Splitters (P) denotes the set of splitters of P, 
while PTrefiners(P) = {S G Splitters(P) | 3{PJ C P. S = U^P,}. Then, the PT algorithm goes as 
follows. 



input: partition P G Part(E); 

while (P is not PT stable) do 
choose S G PTrefiners(P) 
P := PTsplit(S, P); 

endwhile 

output: P; 



PT 



The time complexity of PT is 0(|->||E|) because the number of while loops is bounded by |E| and, by 
storing prc^({s}) for each s G E, finding a PT refiner and performing the splitting takes 0(|->|) time. 



An Abstract Interpretation Perspective of PT. This work originated from a number of observations on 
the above PT algorithm. Firstly, we may view the output PT(P) as the coarsest refinement of a partition P 
that strongly preserves CTL. For partitions of the state space E, namely standard abstract models in model 
checking, it is known that strong preservation of CTL is equivalent to strong preservation of (finitary) 
Hennessy-Milner logic HML ifTTl . i.e., the language: 

tp ::= p | if i A (fi2 | EX<p 

The interpretation of HML is standard: p ranges over atomic propositions in AP where {[p] C £ | p g 
AP] = P and the semantic interpretation of the existential next operator EX is pre^ : p(E) — > p(E). 
We observe that PT(P) indeed computes the coarsest partition P HML that refines P and strongly preserves 
HML. Moreover, the partition P HML corresponds to the state equivalence = HM l induced by the semantics 
of HML: s =hml s' iff Vip G HML. s G l<pj s' G [<p]. We also observe that P HM l is an abstraction 
on the domain Part(E) of partitions of E of the standard state semantics of HML. Thus, our starting point 
was that PT can be viewed as an algorithm for computing the most abstract object on a particular domain, 
i.e. Part(E), that strongly preserves a particular language, i.e. HML. We make this view precise within 
Cousot and Cousot's abstract interpretation framework J5] |6). 

Previous work [241 introduced an abstract interpretation-based framework for reasoning on strong 
preservation of abstract models w.r.t. generic inductively defined languages. We showed that the lattice 
Part(E) of partitions of the state space E can be viewed as an abstraction, through some abstraction and 
concretization maps a and 7, of the lattice Abs(p(E)) of abstract interpretations of p(E). Thus, a partition 
P G Part(E) is here viewed as a particular abstract domain j(P) G Abs(p(E)). This leads to a precise 
correspondence between forward complete abstract interpretations and strongly preserving abstract mod- 
els. Let us recall that completeness in abstract interpretation [5 6, 14] encodes an ideal situation where 
no loss of precision occurs by approximating concrete computations on abstract domains. The problem of 
minimally refining an abstract model in order to get strong preservation of some language C can be cast 
as the problem of making an abstract interpretation A forward complete for the semantic operators of C 
through a minimal refinement of the abstract domain of A. It turns out that this latter completeness prob- 
lem always admits a fixpoint solution. Hence, in our abstract interpretation framework, it turns out that 
for any P G Part(E), the output PT(P) is the partition abstraction in Part(E) through a of the minimal 
refinement of the abstract domain j(P) G Abs(p(E)) that is complete for the set 0p HML of semantic 
operators of the language HML, where Op HML = {fl,C,pre^} therefore includes intersection, comple- 
mentation and precedessor operators. In particular, a partition P is PT stable iff the abstract domain 7(P) 
is complete for the operators in Op HML . Also, the following observation is crucial in our approach. The 
splitting operation PTsplit(5, P) can be viewed as the best correct approximation on Part(E) of a refine- 
ment operation refine p(<S', •) of abstract domains: given an operator op, refine op (S', A) refines an abstract 



2 



domain A through a "op-refiner" 5 € A to the most abstract domain that contains both A and the image 
op(S). In particular, P results to be PT stable iff the abstract domain 7(P) cannot be refined w.r.t. the 
function prc^. Thus, if refine^*" denotes the best correct approximation in Part(E) of refme op then the 
PT algorithm can be reformulated as follows. 

input: partition P 6 Part(E); 

while the set of pre_ -refiners of P / do 

choose some pre^ -refiner S € j(P); 

P := refine^ (S,P); 
endwhile 
output: P; 



Main Results. This abstract interpretation-based view of PT leads us to generalize PT to: 

(1) a generic domain A of abstract models that generalizes the role played in PT by the domain of state 
partitions Part(E); 

(2) a generic set Op of operators on p(S) that provides the semantics of some language Co P and gen- 
eralizes the role played in PT by the set Op HML of operators of HML. 

We design a generalized Paige-Tarjan refinement algorithm, called GPT, that, for any abstract model 
A £ A, computes the most abstract refinement of A in A which is strongly preserving for the language 
Cop- The correctness of GPT is guaranteed by some completeness conditions on A and Op. We provide 
a number of applications showing that GPT is an algorithmic scheme of general use. 

We first show how GPT can be instantiated in order to get the well-known Groote-Vaandrager algo- 
rithm [15 1 that computes divergence blind stuttering equivalence in 0(|-»| |S|)-time (this is the best known 
time bound). Divergence blind stuttering equivalence is a behavioural equivalence used in process algebra 
to take into account invisible events |2][8). Let us recall that the Groote-Vaandrager algorithm can be also 
used for computing branching bisimulation equivalence, which is the state equivalence induced by CTLT-X 
[2 8 15 1. The Groote-Vaandrager algorithm corresponds to an instance of GPT where the set of operators 
is Op = {n, C, EU} - EU denotes the standard semantic interpretation of the existential until - and the 
abstract domain A is the lattice of partitions Part(E). 

We then show how GPT allows to design a new simple and efficient algorithm for computing sim- 
ulation equivalence. This algorithm is obtained as a consequence of the fact that simulation equivalence 
corresponds to strong preservation of the language 

f ::= p I if 1 A if 2 I EXtp. 

Therefore, in this instance of GPT the set of operators is Op = {n, prc_, } and the abstract domain A is 
the lattice of disjunctive (i.e. precise for least upper bounds j6 |) abstract domains of p(S). It turns out that 
this algorithm can be implemented with space and time complexities that are competitive with those of the 
best available algorithms for simulation equivalence. 

Finally, we demonstrate how GPT can solve novel strong preservation problems by considering strong 
preservation w.r.t. the language inductively generated by propositional logic and the reachability operator 
EF. Here, we obtain a partition refinement algorithm, namely the abstract domain A is the lattice of 
partitions Part(S), while the set of operators is Op = {fl, C, EF}. We describe an implementation for this 
instance of GPT that leads to a 0(\^\ |S|)-time algorithm that was also experimentally evaluated. 

2 Background 

2.1 Notation and Preliminaries 

Notations. Let X be any set. Fun(X) denotes the set of functions / : X n — * X, for any n = H(/) > 0, 
called arity of /. Following a standard convention, when n = 0, / is meant to be a specific object of X. 
If / : X — *■ Y then the image of / is also denoted by img(/) = {f(x) G Y \ x € X}. When writing 
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a set S of subsets of a given set, like a partition, S is often written in a compact form like {1, 12, 13} or 
{[1], [12], [13]} that stands for {{1}, {1, 2}, {1, 3}}. The complement operator for the universe set X is 
C : p{X) -► p(X), where C(5) = X \ S. 

Orders. Let (P, <) be a poset. Posets are often denoted by P<. We use the symbol (□) C to denote 
(strict) pointwise ordering between functions: If X is any set and f,g:X^P then / C g if for all 
x £ X, f(x) < g(x). A mapping / : P — ► Q on posets is continuous when / preserves least upper bounds 
(lub's) of countable chains in P, while, dually, it is co-continuous when / preserves greatest lower bounds 
(gib's) of countable chains in P. A complete lattice C< is also denoted by (C, <, V, A, T, _L) where V, A, 
T and _L denote, respectively, lub, gib, greatest element and least element in C. A function / : C — > D 
between complete lattices is additive (co-additive) when / preserves least upper (greatest lower) bounds. 
We denote by lfp(/) and gfp(/), respectively, the least and greatest fixpoint, when they exist, of an operator 
/ on a poset. 

Partitions. A partition P of a set S is a set of nonempty subsets of E, called blocks, that are pairwise 
disjoint and whose union gives S. Part(S) denotes the set of partitions of £. Part(£) is endowed with 
the following standard partial order <: Pi ^ P2, i.e. P2 is coarser than Pi (or Pi refines P2) iff VP G 
P\3B' G P 2 . B C B'. It is well known that (Part(E), X, Y, {£}, {{s}} se s} is a complete lattice, 
where P 1 kP 2 = {B x n B 2 \ B x G P x , B 2 G P 2 , Pi n B 2 ± 0}. 

Kripke Structures. A transition system T = (£, -»■) consists of a (possibly infinite) set £ of states and 
a transition relation -> C S x £. As usual 01, we assume that the relation -> is total, i.e., for any s G £ 
there exists some ( e E such that s^t, so that any maximal path in T is necessarily infinite. The pre/post 
transformers on p(£) are defined as usual: 

- prc^ = AF. {a G S | 36 G Y. a^b} 

- pTe^ = C o prc^ oC = XY.{a G E | V6 £ S.(a^6 & e F)} 

- post_ = AF.{6 G £ I 3a G F. a^6} 

- post^ = C o post^ oC = AF.{& G S I Va G S.(a^& => a e F)} 

Let us remark that pre_, and post^ are additive operators on p(S)c while pfc^ and post^ are co-additive. 
When clear from the context, subscripts in pre/post transformers are sometimes omitted. 

Given a set AP of atomic propositions (of some language), a Kripke structure /C = (S, I) over AP 
consists of a transition system (S, -») together with a state labeling function I : E — * p(^4P). We use the 
following notation: for any s G E, [s]^ = {s' G E | l(s) = i(s')}, while P e = {[s] t \ s G E} G Part(E) 
denotes the state partition that is induced by £ 

The notation s\= ip means that a state s G E satisfies in /C a state formula 99 of some language £, 
where the specific definition of the satisfaction relation \= K depends on the language C (interpretations of 
standard logical/temporal operators like next, until, globally, etc. can be found in |4l). 

2.2 Abstract Interpretation and Completeness 
2.2.1 Abstract Domains 

In standard Cousot and Cousot's abstract interpretation, abstract domains can be equivalently specified 
either by Galois connections, i.e. adjunctions, or by upper closure operators (uco's) 12] |6). Let us recall 
these standard notions. 

Galois Connections and Insertions. If A and C are posets and a : C — > A and 7 : A — > C are 
monotone functions such that Vc G C. c <c 7(a(c)) and 0(7(0)) <a a then the quadruple (a, C, A, 7) is 
called a Galois connection (GC for short) between C and A. If in addition 007 = Xx.x then (a, C, A, 7) 
is a Galois insertion (GI for short) of A in C. In a GI, 7 is 1-1 and a is onto. Let us also recall that the 
notion of GC is equivalent to that of adjunction: if a : C — > A and 7 : A — > C then (a, C, A, 7) is a GC 
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iff Vc G C.Va G A. a(c) <a a c <c 7(a). The map a (7) is called the left- (right-) adjoint to 7 (a). 
It turns out that one adjoint map a/7 uniquely determines the other adjoint map 7/a as follows. On the 
one hand, a map a : C — > A admits a necessarily unique right-adjoint map 7 : A — > C iff a preserves 
arbitrary lub's; in this case, we have that 7 = f Xa. Vc* {c £ C a(c) <^ a}. On the other hand, a map 
7 : A — > C admits a necessarily unique left-adjoint map a : C — > A iff 7 preserves arbitrary gib's; in this 
case, a = Ac. A ,4 {a £ A \ c <c 7(a)}- In particular, in any GC (a, C, A, 7) between complete lattices it 
turns out that a is additive and 7 is co-additive. 

We assume the standard abstract interpretation framework, where concrete and abstract domains, C and 
A, are complete lattices related by abstraction and concretization maps a and 7 forming a GC (a, C, A, 7). 
A is called an abstraction of C and C a concretization of A. The ordering relations on concrete and abstract 
domains describe the relative precision of domain values: x < y means that y is an approximation of x 
or, equivalently, x is more precise than y. Galois connections relate the concrete and abstract notions of 
relative precision: an abstract value a E A approximates a concrete value c G C when a(c) <a a, or, 
equivalently (by adjunction), c <p 7(a). As a key consequence of requiring a Galois connection, it turns 
out that a(c) is the best possible approximation in A of c, that is a(c) = A{a G A | c <c 7(a)} holds. If 
(a, C, A, 7) is a GI then each value of the abstract domain A is useful in representing C, because all the 
values in A represent distinct members of C, being 7 1-1. Any GC can be lifted to a GI by identifying in 
an equivalence class those values of the abstract domain with the same concretization. Abs(C) denotes the 
set of abstract domains of C and we write A G Abs(C) to mean that the abstract domain A is related to C 
through a GI (a, C, A, 7). 

An abstract domain A G Abs(C) is disjunctive when the corresponding concretization map 7 is ad- 
ditive or, equivalently, when the image 7(A) G C is closed under arbitrary lub's of C. We denote by 
dAbs(C) the subset of disjunctive abstract domains. 

Closure Operators. An (upper) closure operator, or simply a closure, on a poset P< is an operator 
[i : P — > P that is monotone, idempotent and extensive, i.e., Vie G P. x < n(x). Dually, lower closure 
operators are monotone, idempotent, and restrictive, i.e., V.t G P. n(x) < x. uco(P) denotes the set of 
closure operators on P. Let (C, <, V, A, T, _L) be a complete lattice. A closure [i G uco(C) is uniquely 
determined by its image img(/x), which coincides with its set of fixpoints, as follows: /i = \y. A {x G 
img(/i) I y < x}. Also, X G C is the image of some closure operator fix on C iff X is a Moore-family 
of C, i.e., X = M{X) = {AS S G X} — where A0 = T G M(X). In other terms, X is a Moore- 
family of C (or Moore-closed) when X is meet-closed. In this case, nx = Ay. A {x G X | y < x} is 
the corresponding closure operator on C. For any X C C, M.(X) is called the Moore-closure of X in 
C, i.e., A4(X) is the least (w.r.t. set inclusion) subset of C which contains X and is a Moore-family of 
C. Moreover, it turns out that for any /.t G uco(C) and any Moore-family X G C, /ii mg (^) = H an d 
img(/ix) = X. Thus, closure operators on C are in bijection with Moore-families of C. This allows us to 
consider a closure operator [i G uco(C) both as a function fi : C — s- C and as a Moore-family img(/^) G C. 
This is particularly useful and does not give rise to ambiguity since one can distinguish the use of a closure 
[i as function or set according to the context. 

If C is a complete lattice then uco(C) endowed with the pointwise ordering C is a complete lattice 
denoted by (uco(C), C, U, n, Ax.T, Xx.x), where for every fi, rj G uco(C), C uco(C) and x G C: 

- V E V iff Vy G C. fi(y) < rj(y) iff img(r?) C img(/x); 

- (n ieI ^)(x) = A ieI ^i(x); 

- x G Unziiii <^> Vi G I . x G img(/x,;); 

- Ax.T is the greatest element, whereas Xx.x is the least element. 

Thus, the gib in uco(C) is defined pointwise, while the lub of a set of closures C uco(C) is the 

closure whose image is given by the set-intersection riigz/i,;. 

A closure /.t G uco(C) is disjunctive when /.t preserves arbitrary lub's or, equivalently, when img(/x) is 
join-closed, that is {\/X \ X G img(/i)} = img(/x). Hence, a subset X C C is the image of a disjunctive 
closure on C iff X is both meet- and join-closed. If C is completely distributive — this is the case, for 
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example, of a lattice C) for some set £ — then the greatest (w.r.t. C) disjunctive closure B(5) that 

contains a set S 1 C C is obtainedby closing 5 under meets andjoins, namely B)(5) = {VX | X C A4(5')}. 

Closures are Equivalent to Galois Insertions. It is well known since [6| that abstract domains can be 
equivalently specified either as Galois insertions or as closures. These two approaches are completely 
equivalent. On the one hand, if fi £ uco(C) and A is a complete lattice which is isomorphic to img(/x), 
where i : img(/i) — > A and : A — > img(/i) provide the isomorphism, then (t o /x, C, A, is a GI. 
On the other hand, if (a, C, A, 7) is a GI then (j,a = 7 a £ uco(C) is the closure associated with A 
such that (img(/i J 4), <c) is a complete lattice which is isomorphic to (A, <a)- Furthermore, these two 
constructions are inverse of each other. Let us also remark that an abstract domain A is disjunctive iff the 
uco [i a is disjunctive. Given an abstract domain A specified by a GI (a, C, A, 7), its associated closure 
7 o a on C can be thought of as the "logical meaning" of A in C, since this is shared by any other abstract 
representation for the objects of A. Thus, the closure operator approach is particularly convenient when 
reasoning about properties of abstract domains independently from the representation of their objects. 

The Lattice of Abstract Domains. Abstract domains specified by GIs can be pre-ordered w.r.t. precision 
as follows: if A\,A% G Abs(C) then A\ is more precise (or concrete) than A2 (or A2 is an abstraction 
of Ai) when [la x E Ha 2 - The pointwise ordering C between uco's corresponds therefore to the standard 
ordering used to compare abstract domains with respect to their precision. Also, A\ and A2 are equiva- 
lent, denoted by A\ ~ A2, when their associated closures coincide, i.e. \ia x = ^a 2 - Hence, the quotient 
Abs(C)/~ gives rise to a poset that, by a slight abuse of notation, is simply denoted by (Abs(C), C). 
Thus, when we write A G Abs(C) we mean that A is any representative of an equivalence class in 
Abs(C)/^ and is specified by a Galois insertion (a, C,A, 7). It turns out that (Abs(C), C) is a com- 
plete lattice, called the lattice of abstract domains of C J5]|6], because it is isomorphic to the complete 
lattice (uco(C), C). Lub's and gib's in Abs(C) have therefore the following reading as operators on do- 
mains. Let {Ai}i £ i C Abs(C): (i) Ui e jAi is the most concrete among the domains which are abstractions 
of all the Ai's; (ii) \li e iAi is the most abstract among the domains which are more concrete than every 
Ai — this latter domain is also known as reduced product J6) of all the Ai's. 

2.2.2 Completeness in Abstract Interpretation 

Correct Abstract Interpretations. Let C be a concrete domain, / : C — > C be a concrete semantic 
function^ and /" : A — > A be a corresponding abstract function on an abstract domain A G Abs(C) speci- 
fied by a GI (a, C, A, 7). Then, (A, /*) is a sound (or correct) abstract interpretation when ao/C/'oa 
holds. The abstract function /' is called a correct approximation on A of /. This means that a concrete 
computation /(c) can be correctly approximated in A by /"(a(c)), namely a(f(c)) <a /"(a(c)). An 
abstract function /' : A — > A is more precise than /| : A — ► A when f\ □ /J. Since a o / C /" o a 
holds iff a o f o 7 IZ /" holds, the abstract function f A = a o / o 7 : A — > A is called the best correct 
approximation of / in A. 

Complete Abstract Interpretations. Completeness in abstract interpretation corresponds to requiring 
that, in addition to soundness, no loss of precision occurs when /(c) is approximated in A by /"(a(c)). 
Thus, completeness of /" for / is encoded by the equation a o / = /' o a. This is also called backward 
completeness because a dual form of forward completeness may be considered. As a very simple example, 
let us consider the abstract domain Sign representing the sign of an integer variable, namely Sign = 
{_L, Z< , 0, Z> , T} G Abs(p(Z)c )■ Let us consider the binary concrete operation of integer addition on 
sets of integers, that isX + Y d =={x + y\ x<EX,y<E Y}, and the square operator on sets of integers, that 
is X 2 = {x 2 I x G X}. It turns out that the best correct approximation -\- St s n of integer addition in Sign is 
sound but not complete — because a({— 1} + {1}) = <s ign T — a({-l})+ Sl9n a{{\}) — while it is 
easy to check that the best correct approximation of the square operation in Sign is instead complete. Let 
us also recall that backward completeness implies fixpoint completeness, meaning that if a o / = /" o q 
thena(lfp(/))=lfp(/8). 

1 For simplicity of notation we consider here unary functions since the extension to generic n-ary functions is straightforward. 
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A dual form of completeness can be considered. The soundness condition a o / C /" o a can be equiv- 
alently formulated as / o 7 C70/I. Forward completeness for /' corresponds to requiring that the equa- 
tion / o 7 = 7 o /' holds, and therefore means that no loss of precision occurs when a concrete computa- 
tion /(7(a)), for some abstract value a £ A, is approximated in A by /"(a). Let us notice that backward 
and forward completeness are orthogonal concepts. In fact: (1) we observed above that -f is not back- 
ward complete while it is forward complete because for any 01, 02 £ Sign, 7(ai)+7(d2) = 7(^1+ 9n a>2)'- 
for instance, 7(Z> ) + 7(Z> ) = Z> = 7(Z> + Sl9 "Z> ); (2) the best correct approximation (-) 2si 9» of 
the square operator on Szgn is not forward complete because 7(Z> ) 2 C 7(Z> ) = 7((Z> ) Sisn ) while, 
as observed above, it is instead backward complete. 

Completeness is an Abstract Domain Property. Giacobazzi et al. [14] observed that completeness 
uniquely depends upon the abstraction map, i.e. upon the abstract domain. This means that if /» is back- 
ward complete for / then the best correct approximation f A of / in A is backward complete as well, and, 
in this case, /" indeed coincides with f A . Hence, for any abstract domain A, one can define a backward 
complete abstract operation /" on A if and only if f A is backward complete. Thus, an abstract domain 
A £ Abs(C) is defined to be backward complete for / iff the equation a o f = f A o a holds. This simple 
observation makes backward completeness an abstract domain property, namely an intrinsic characteristic 
of the abstract domain. Let us observe that aof = f A oa holds iff 70 a o f = 7 o / A o a = -foaofojoa 
holds, so that A is backward complete for / when Ha° f = Ha° f HA- Thus, a closure /i £ uco(C), 
that defines some abstract domain, is backward complete for / when /io/ = p/ o/i holds. Analogous 
observations apply to forward completeness, which is also an abstract domain property: A £ Abs(C) is 
forward complete for / (or forward /-complete) when f o /j,a = HA° f Ha, while a closure \i £ uco(C) 
is forward complete for / when / oji = /io/o/i holds. 

2.3 Shells 

Refinements of abstract domains have been studied from the beginning of abstract interpretation [ 5 6 1 and 
led to the notion of shell of abstract domains lTT0HT3l [141 . Given a generic poset P< of semantic objects — 
where x < y intuitively means that x is a "refinement" of y — and a property V C P of these objects, the 
generic notion of shell is as follows: the 'P-shell of an object x £ P is defined to be an object s x £ P such 
that: 

(i) s x satisfies the property V, 

(ii) s x is a refinement of x, and 

(iii) s x is the greatest among the objects in P satisfying (i) and (ii). 

Note that if a "P-shell exists then it is unique. Moreover, if the "P-shell exists for any object in P then it turns 
out that the operator that maps any x £ P to its P-shell is a lower closure operator on V, being monotone, 
idempotent and reductive: this is called the V -shell refinement operator. We will be interested in shells of 
abstract domains and partitions, namely shells in the complete lattices of abstract domains and partitions. 
Given a state space S and a partition property V C Part(S), the T^-shell of P £ Part(S) is the coarsest 
refinement of P satisfying V, when this exists. Also, given a concrete domain C and a domain property 

V C Abs(C), the T^-shell of A £ Abs(C), when this exists, is the most abstract domain that satisfies 

V and refines A. As an important example, Giacobazzi et al. |[T4| constructively showed that backward 
complete shells always exist when the concrete functions are continuous. 

Disjunctive Shells. Consider the abstract domain property of being disjunctive, namely dAbs(C) C 
Abs(C). As already observed in (6), if C is a completely distributive lattic^l then any abstract domain 
A £ Abs(C) can be refined to its disjunctive completion dc(A) = {V 'cS \ S C j(A)}. This means that 

2 This roughly means that in C arbitrary gib's distribute over arbitrary lub's - any powerset, ordered w.r.t. super-/sub-set relation, 
is completely distributive. 



7 



dc(^4) is the most abstract domain that refines A and is disjunctive, namely it is the disjunctive shell of A. 
Hence, the disjunctive shell operator J?dis : Abs(C) — > Abs(C) is defined as follows: 

y dis {A) = U {X g Abs(C) \ XQA, Xis disjunctive}. 

Forward Complete Shells. Let F C Fun(C) (thus functions in F may have any arity) and S G p(C). 
We denote by F(S) G p(C) the image of F on 5, i.e. F(S) = {/(s) | / G F, s G and we say 

that S is F-closed when F(S) C 5. An abstract domain ^4 G Abs(C) is forward incomplete when A 
is forward complete for any / G F. Let us observe that F-completeness for an abstract domain A means 
that the image -f(A) is closed under the image of functions in F, namely F(j(A)) C 'j(A). Also note 
that when k : C° — > C, i.e. fc G C is a constant, ^4 is fc-complete iff fe is precisely represented in A, i.e. 
7 (a(fc)) = fc. Let us finally note that any abstract domain is always forward meet-complete because any 
uco is Moore-closed. 

The (forward) F-complete shell operator S?f : Abs(C) — > Abs(C) is defined as follows: 

,y F (A) = U {X G Abs(C) I X C A, X is forward F-complete}. 

As observed in lfl2ll24ll . it turns out that for any abstract domain A, J^f(A) is forward F-complete, namely 
forward complete shells always exist. When C is finite, note that for the meet operator A : C 2 — > C we 
have that, for any F, S?f = J^fu{a}> because uco's (that is, abstract domains) are meet-closed. 

A forward complete shell is a more concrete abstraction than A. How to characterize c5^(A)? 

As shown in [24), forward complete shells admit a constructive fixpoint characterization. Let F M : 
Abs(C) -f Abs(C) be defined as follows: F M (X) = ' A4(F( 7 (X))), namely F M (X) is the most ab- 
stract domain that contains the image of F on 7(A). Given A G Abs(C), we consider the operator 
Fa ■ Abs(C) -» Abs(C) defined by the reduced product F A (X) = A n F jM (X). Let us observe that 
Fa(X) = A4(j(A) U i 7 '(7(X))) and that F A is monotone and therefore admits the greatest fixpoint which 
provides the forward F-complete shell of A: 

J? F (A) = gfp(*A). (2.1) 

Example 2.1. Let S = {1,2,3,4} and R C S x S be the relation {(1,2), (2,3), (3,4), (4,4)}. Let us 
consider the post transformer post^ : p(S) — > p(S). Consider the abstract domain A = {0, 2, 1234} G 
Abs(p(S)c). Wehavethat^ pos t R (A) = {0, 2, 3, 4, 34, 234, 1234} because byO 

Xq = {1234} (most abstract domain) 

X 1 = M(A U post fl (X )) = M(A U {234}) = {0, 2, 234, 1234} 

X 2 = M(A U post R (Xx)) = M(A U {0, 3, 34, 234}) = {0, 2, 3, 34, 234, 1234} 

X 3 = M(A U post fl (X 2 )) = A4(A U {0, 3, 4, 34, 234}) = {0, 2, 3, 4, 34, 234, 1234} 

X 4 = M(AU post K (X 3 )) = A4(A U {0, 3, 4, 34, 234}) = X 3 (greatest fixpoint). □ 

3 Generalized Strong Preservation 

Let us recall from 0241 how partitions, i.e. standard abstract models, can be viewed as specific abstract 
domains and how strong preservation in standard abstract model checking can be cast as forward com- 
pleteness of abstract interpretations. 

3.1 Partitions as Abstract Domains 

Let £ be any (possibly infinite) set of system states. As shown in 11241 . it turns out that the lattice of state 
partitions Part(S) can be viewed as an abstraction of the lattice of abstract domains Abs(p(S)). This is 
important for our goal of performing an abstract fixpoint computation on the abstract lattice of partitions 
Part(S) of a forward complete shell in Abs(p(S)). 

A partition P G Part(S) can be viewed as an abstraction of p(S)c as follows: any S C E is over 
approximated by the unique minimal cover of S in P, namely by the union of all the blocks B G P such 
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ap(S) 



Figure 1: Partitions as abstract domains. 

that B n S ^ 0. A graphical example is depicted in Figure Q] This abstraction is formalized by a GI 

(a P ,p(E)c,p(P)c,7p) where: 

ap(S) = {B e P \ B nS ^ 0} 7P (B) = U BeB B. 

We can therefore define a function pad : Part(E) — > Abs(p(E)) that maps any partition P to an abstract 
domain pad(P) which is called partitioning. In general, an abstract domain A £ Abs(p(E)) is called 
partitioning when A is equivalent to an abstract domain pad(P) for some partition P G Part(E). Accord- 
ingly, a closure \i G ueo(p(E)) that coincides with 7p o aj>, for some partition P, is called partitioning. 
It can be shown that an abstract domain A is partitioning iff its image 7(A) is closed under complements, 
that is, VS G 7(A). C(S) G 7(A). We denote by Abs par (p(E)) and uco par (p(E)) the sets of, respectively, 
partitioning abstract domains and closures on p(E). 

Partitions can thus be viewed as representations of particular abstract domains. On the other hand, 
it turns out that abstract domains can be abstracted to partitions. An abstract domain A G Abs(p(E)c) 
induces a state equivalence =a on E by identifying those states that cannot be distinguished by A: 

s = A s' iff a({s}) = a{{s'}). 

For any s G E, [s] A = {s' G E | a({s}) = a({s'})} is a block of the state partition par(A) induced by A: 

par(A) d = f {[ S ] A | S GE}. 

Thus, par : Abs(p(E)) — > Part(E) is a mapping from abstract domains to partitions. 

Example 3.1. Let E = {1,2,3, 4} and let us specify abstract domains as uco's on p(E). The abstract 
domains A 1 = {0, 12, 3, 4, 1234}, A 2 = {0, 12, 3, 4, 34, 1234}, A 3 = {0, 12, 3, 4, 34, 123, 124, 1234}, 
A 4 = {12, 123, 124, 1234} and A 5 = {0, 12, 123, 124, 1234} all induce the same partition P = par(Ai) = 
{12,3,4} G Part(E). For example, a As ({l}) = a A5 ({2}) = {1,2}, ou 5 ({3}) = {1,2,3} and 
ctA & ({4}) = {1,2, 3, 4} so that par(As) = P. Observe that A3 is the only partitioning abstract domain 
because pad(P) = A3. □ 

Abstract domains of p(E) carry additional information other than the underlying state partition and 
this additional information distinguishes them. As shown in l24l . it turns out that this can be precisely 
stated by abstract interpretation since the above mappings par and pad allows us to view the whole lattice 
of partitions of E as a ("higher-order") abstraction of the lattice of abstract domains of p(E): 

(par, Abs(p(E)) 3 ,Part(E)^,pad) is a GI. 

As a consequence, the mappings par and pad give rise to an order isomorphism between state partitions 
and partitioning abstract domains: Part(E)^ = Abs pal (p(E))c. 
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3.2 Abstract Semantics and Generalized Strong Preservation 

Concrete Semantics. We consider temporal specification languages £ whose state formulae ip are in- 
ductively defined by: 

C3(p::=p\ f(<pi,...,<p n ) 

where p ranges over a (typically finite) set of atomic propositions AP, while / ranges over a finite set Op 
of operators. AP and Op are also denoted, respectively, by APc and 0p c . Each operator f G Op has an 
aritjQM/) >0. 

Formulae in £ are interpreted on a semantic structure S = (E, /) where S is any (possibly infinite) 
set of states and / is an interpretation function / : APUOp — > Fun(p(E)) that maps p 6 APto the set 
J(p) € p(E) and / G Op to the function /(/) : p(E) tt(/) — > p(E). 7(p) and /(/) are also denoted by, 
respectively, p and /. Moreover, AP = {p G p(E) | p G Ai 3 } and Op = f {/ : p(E) 1 ^) — * p(E) | / G 
Op}. The concrete state semantic function [-]s : £ — ► p(E) evaluates a formula <^ G £ to the set of states 
making ip true w.r.t. the semantic structure S: 

lp]s=P and lf(tpi,...,<p n )ls = f(l<Pi}s,-d<Pn}s)- 

Semantic structures generalize the role of Kripke structures. In fact, in standard model checking a semantic 
structure is usually defined through a Kripke structure K, so that the interpretation of logical/temporal 
operators is defined in terms of paths in K, and standard logical operators. In the following, we freely use 
standard logical and temporal operators together with their usual interpretations: for example, 1(A) = PI, 
/(V) = U, /(->) = C, and if -> denotes a transition relation in K, then /(EX) = prc_,, /(AX) = pfe^, etc. 

If g is any operator with arity |j(g) = n > 0, whose interpretation is given by g : p(E) n — > p(£), and 
S — (S, I) is a semantic structure then we say that a language £ is closed under g for S when for any 
(fi,...,ip n G £ there exists some -0 G C such that gf([<^i]s, [^njs) = Ms- In particular, a language £ 
is closed under (finite) infinite logical conjunction for S iff for any (finite) $ C £, there exists some ip G C 
such that HipG* Vp\s = {if-'Js- In particular, let us note that if C is closed under infinite logical conjunction 
then it must exist some ip G C such that f10 = S = {ip}s> namely C is able to express the tautology true. 
Let us also remark that if the state space S is finite and C is closed under logical conjunction then we also 
mean that there exists some ip G C such that fl0 = E = {tpjs- Finally, note that if C is closed under 
negation and (infinite) logical conjunction then C is closed under (infinite) logical disjunction as well. 

Abstract Semantics. Abstract interpretation allows to define abstract semantics. Let £ be a language 
and S = (E, /) be a semantic structure for £. An abstract semantic structure = (A, 1$) is given by 
an abstract domain A G Abs(p(E)c) and by an abstract interpretation function J" : APUOp — > Fun(A). 
An abstract semantic structure therefore induces an abstract semantic function : £ — > A that 

evaluates formulae in £ to abstract values in A. In particular, the abstract domain A systematically induces 
an abstract semantic structure S A = (A, I A ) where I A is the best correct approximation of / on A, i.e. I A 
interprets atoms p and operators / as best correct approximations on A of, respectively, p and /: for any 
p G APand / G Op, 

I A {p)^a(p) and I A (f) d = f f A = a o / o < 7) 7 ). 

Thus, the abstract domain A always induces an abstract semantic function {-}s A '■ £■ —* A, also denoted by 
, which is therefore defined by: 

b]s=«(p) and {f(<pi, <p n )]s = f A (l<Pi]si •••) I^ls)- 

Standard Strong Preservation. A state semantics for a semantic/Kripke structure S, induces a 
state logical equivalence =^ C E x E as usual: 

s =f s' iff G £. s G Ms s' G M 5 . 

3 It would be possible to consider generic operators whose arity is any possibly infinite ordinal, thus allowing, for example, infinite 
conjunctions or disjunctions. 
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Let Pc G Part(E) be the partition induced by =£ (the index S denoting the semantic/Kripke structure is 
omitted). For a number of well known temporal languages like CTL*, ACTL*, CTL*-X, it turns out that 
if a partition is more refined than Pc then it induces a standard strongly preserving (s.p.) abstract model. 
This means that if C is interpreted on a Kripke structure JC = (E, £) and P < Pc then one can define 
an abstract Kripke structure A = (P, ft) having the partition P as abstract state space that strongly 
preserves C: for any ip G C, s G E and BgP such that s G S, we have that P [=" 4 (that is, P G [<,£>] .4) 
if and only if s (that is, s G [v?]/c)- Let us recall a couple of well-known examples (see e.g. J4][7)): 

(i) Let Pactl* G Part(E) be the partition induced by ACTL* on some JC = (E, £). If P ^ Pactl* 
then the abstract Kripke structure A = (P, -^ va ,^p) strongly preserves ACTL*, where £p(B) = 
U{e(s) | s G B] and -^ va C P x P is defined as: Pi ^ va P 2 ^ Vs x G B 1 . 3s 2 G P 2 . si^s 2 . 

(ii) Let Pqtl* G Part(E) be the partition induced by CTL* on K. If P ^ Pctl* then the abstract Kripke 
structure A = (P, -^ aa , lp) strongly preserves CTL*, where Bi -^ aa B 2 <^> 3si G Pi,s 2 G 

P 2 . Sl^S 2 . 

Following Dams Q Section 6.1] and Henzinger et al. lfl9l Section 2.2], the notion of strong preser- 
vation can be given w.r.t. a mere state partition rather than w.r.t. an abstract Kripke structure. A partition 
P G Part(E) is strongly preserving for C (when interpreted on a semantic/Kripke structure S) if P -< Pc- 
In this sense, Pc is the coarsest partition that is strongly preserving for C. For a number of well known 
temporal languages, like ACTL*, CTL* (see, respectively, the above points (i) and (ii)), CTL*-X and 
the fragments of the /i-calculus described by Henzinger et al. |[T9l , it turns out that if P is strongly pre- 
serving for £ then the abstract Kripke structure (P, ^ aa ,^p) is strongly preserving for C In particular, 
(Pc, -> aa , ip c ) is strongly preserving for C and, additionally, Pc is the smallest possible abstract state 
space, namely if A = (A, is an abstract Kripke structure that strongly preserves C then \Pc\ < |-<4|- 

Generalized Strong Preservation. Intuitively, the partition Pc is an abstraction of the state semantics 
\-\s- Let us make this intuition precise. Following ll24l . an abstract domain A G Abs(p(E)) is defined to be 
strongly preserving for £ (w.r.t. S) when for any S G p(E) and Lp G C: a(S) < S C [y]s. This 

generalizes strong preservation from partitions to abstract domains because, by exploiting the isomorphism 
in Section lXTl between partitions and partitioning abstract domains, it turns out that P is a s.p. partition for 
C w.r.t. S iff pad(P) is a s.p. abstract domain for C w.r.t. S. 

Forward Complete Shells and Strong Preservation. Partition refinement algorithms for computing be- 
havioural equivalences like bisimulation l22l . simulation equivalence l3l IT8l l26l and (divergence blind) 
stuttering equivalence lfl5l are used in abstract model checking to compute the coarsest strongly preserv- 
ing partition of temporal languages like CTL* or the /i-calculus for the case of bisimulation equivalence, 
ACTL* for simulation equivalence and CTL*-X for stuttering equivalence. Let us recall from 12411 how 
the input/output behaviour of these partition refinement algorithms can be generalized through abstract 
interpretation. Given a language C and a concrete state space E, partition refinement algorithms work 
by iteratively refining an initial partition P within the lattice of partitions Part(E) until the fixpoint Pc 
is reached. The input partition P determines a set APp of atoms and a corresponding interpretation lp 
as follows: APp = {pb \ B G P} and Ip{pb) = B. More in general, any X C p(E) determines a set 
{px}xex of atoms with interpretation 1% (px ) = X. In particular, this can be done for an abstract domain 
A G Abs(p(E)) by considering its concretization 'y(A) C E, namely A is viewed as a set of atoms with 
interpretation Ia(o) = 7(a)- Thus, an abstract domain A G Abs(p(E)) together with a set of functions 
F C Fun(p(E)) determine a language Ca,f, with atoms in A, operations in F and endowed with a seman- 
tic structure Sa,f = (E, I a U If) sucn that for any a G A, I a (a) = j(a) and for any / G F, If(J) = f ■ 
When Ca,f is closed under infinite logical conjunction (for finite state spaces this boils down to closure 
under finite conjunction) it turns out that the forward complete shell of A for F provides exactly the most 
abstract domain in Abs(p(E)) that refines A and is strongly preserving for Ca.f (w.r.t. Sa,f)' 

.y F (A) = U{X G Abs(p(E)) \ XQA,Xis s.p. for C a ,f} (3.1) 

4 Dams |7| uses the term "fine" instead of "strongly preserving". 
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Figure 2: A Kripke structure. 



In other terms, forward complete shells coincide with strongly preserving shells. 

On the other hand, let P# denote the state partition induced by the state labeling of a semantic/Kripke 
structure and let C be closed under logical conjunction and negation. Then, the coarsest s.p. partition Pc 
can be characterized as a forward complete shell as follows: 

P c = par(^b P£ (pad(P,))). (3.2) 
Example 3.2. Consider the following simple language C 

and the Kripke structure JC depicted in Figure [2] where superscripts determine the labeling function £ and 
the interpretation of EX in JC is the predecessor operator. The labeling function t determines the partition 
P e = {p = 1235,q = 4} G Part(S), so that pad (P t ) = {0,1235,4,12345} G Abs(p(S)). Abstract 
domains are Moore-closed so that ^Op L = ^pre- Let us compute i y pre (pad(P£)). 

X = pad(P e ) = {0, 1235,4, 12345} 

X 1= X H A4(prc(A )) = M(X U prc(A )) 

= M ({0,1235, 4, 12345} U {prc({4}) = 135}) = {0,135,1235,4,12345} 

X 2 = X x n M(pre(Xi)) = M(Xx U pre(Xi)) 

= M({0, 135, 1235, 4, 12345} U {pre({135}) = 1245}) = {0, 15, 125, 135, 1235, 4, 1245, 12345} 

X3 = X2 (fixpoint) 

By (13. 11 1. X2 is the most abstract domain that strongly preserves C. Moreover, by ( 13.2b . Pc = par(A2) = 
{15, 2, 3, 4} is the coarsest partition that strongly preserves C. Observe that the abstract domain X2 is not 
partitioning so that pad(Pc) C J?p re (pad(P^)). □ 



4 GPT: A Generalized Paige-Tarjan Refinement Algorithm 

In order to emphasize the ideas leading to our generalized Paige-Tarjan algorithm, let us first describe how 
some features of the Paige-Tarjan algorithm can be viewed and generalized from an abstract interpretation 
perspective. 

4.1 A New Perspective of PT 

Consider a finite Kripke structure (E, £) over a set ^4Fof atoms. In the following, Part(S) and pre^ 
will be more simply denoted by, respectively, Part and pre. As a direct consequence of (13.11 ). it turns out 
11241 that the output PT(P) of the Paige-Tarjan algorithm on an input partition P G Part is the partitioning 
abstraction of the forward {pre, C}-complete shell of pad(P), i.e. 

PT(P) = par(^ {pre>C} (pad(P))). 
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Hennessy-Milner logic HML is inductively generated by the logical/temporal operators of conjunction, 
negation and existential next-time, so that Op HML = {n,C,pre}. Moreover, as noted in Section [2~3l 
S^ip c prc } = ^{(j prc j. Hence, by ( 13. 2\ . we observe that PT(P) computes the coarsest partition P HML that 
is strongly preserving for HML. 

On the other hand, equation ( 12. Il l provides a constructive characterization of forward complete shells, 
meaning that it provides a naive fixpoint algorithm for computing a complete shell J?p(A) — gfp(PA): 
begin with X = {£} = TAbs(p(s)) an d iteratively, at each step, compute Fa{X) until a fixpoint is 
reached. This scheme could be in particular applied for computing ^{ prc ,C}(P a d(P))- Note however 
this naive fixpoint algorithm is far from being efficient since at each step Fa(X) always re-computes the 
images f{x) that have already been computed at the previous step (cf. Example l2.ll ). 

In our abstract interpretation view, PT is therefore an algorithm that computes 

a particular abstraction of a particular forward complete shell. 

Our goal is to analyze the basic steps of the PT algorithm in order to investigate whether it can be gener- 
alized from an abstract interpretation perspective to an algorithm that computes 

a generic abstraction of a generic forward complete shell. 

Let us first isolate in our framework the following key points concerning the PT algorithm. 

Lemma 4.1. Let P e Part and SCS. 

(i) PTsplit(5, P) = par(A4(pad(P) U {pre(#)})) = par(pad(P) n M({pre{S)})). 

(ii) PTrefmers(P) = {S e pad(P) | par(X(pad(P) U {pre(S)})) -< P}. 

(iii) P is PT stable iff {S € pad(P) | par(A4(pad(P) U {pre(S")})) -< P} = 0. 

Proof, (i) By definition, PTsplit^, P) = P X {prc(S), C(pre(5))}. Note that par(X({prc(^)})) = 
par({prc(S'),S}) = {pre(S), C(pre(S))}. Finally, observe that M(pad(P) U {prc(S)}) = pad(P) n 
A4({prc(S)}). Also, since par : Absp(£))g — > Part (!])>- is a left-adjoint map and therefore it is 
additive, it turns out that 

par(.M(pad(P) U {pre(S')})) = [by the equation shown above] 
par(pad(P) n M({pre(S)})) — [by additivity of par] 
par(pad(P)) X pa,r(M({pre(S)})) = [since par o pad = id] 
PA{pre(5),C(pre(5))}. 

Points (ii) and (iii) follow immediately from (i). □ 

Given any set S C S, consider a domain refinement operation rcfme pro (S, ■) : Abs(p(E)) — > Abs(p(E)) 
defined as 

refine pre (S, A) = A n M{{pvc(S)}) = M(~f(A) U {prc(^)}). 

Observe that the best correct approximation of refme prc (<S', •) on the abstract domain Part is rcfinc pl a c rt (S, •) : 
Part — > Part defined as 

refine^' 4 (5, P) = par(pad(P) n M({pre{S)})). 

Thus, Lemma |4~T1 (i) provides a characterization of the PT splitting step as best correct approximation 
of refine pro on Part. In turn, Lemma l4~T1 (ii)-(iii) yield a characterization of PTrcfincrs and PT stability 
based on this best correct approximation refme p a c rt . As a consequence, PT may be reformulated as follows. 

while {T £ pad(P) | refine^ r a c rt (T, P) -< P} / do 

choose S e{Te pad(P) | refine^ 4 (T, P) -< P}; 

P := refin^S* (S, P); 
endwhile 

In the following, this view of PT is generalized to any abstract domain in Abs(p(S)) and some conditions 
ensuring the correctness of this generalized algorithm are isolated. 
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4.2 Generalizing PT 



We generalize Lemma I47T1 as follows. Let F C Fun(p(E)). We define a family of domain refinement 
operators refine/ : p(E) B (/) — * (Abs(p(E)) — > Abs(p(E))) indexed on functions / £ F and tuples of sets 

(i) refine/^, A) d = f A nM({/(S)}). 

A tuple 5 is called a F-refiner for an abstract domain A when there exists / G F such that S G 7(A) ,(/) 
and indeed S may contribute to refine A w.r.t. /, i.e., refine/ (S, A) C A. We thus define refiners of an 
abstract domain as follows: 

(ii) Refmers/(A) = {S G 7(A)""' | refine/(S, A) C A}; Refiners^ (A) = U /<EjF Refiners/ (A), 
and in turn abstract domain stability as follows: 

(iii) A is F-stable iff Refiners_F(A) = 0. 



Concrete PT. The above observations lead us to design the following PT-like algorithm called CPTj? 
(Concrete PT), parameterized by F, which takes as input an abstract domain A G Abs(p(E)) and com- 
putes the forward F-complete shell of A. 



input: abstract domain A G Abs(p(£)); 


while (Refiners F (A) / 0) do 




choose for some f € F, S G Refiners / (A) ; 


A := refine/ (S, A); 




end while; 




output: A; 


CPT F 



Lemma 4.2. Let A G Abs(p(E)). 

(i) A is forward F-complete iff KcHiictsf(A) = 0. 

(ii) Let E be finite. Then, CVTp always terminates and CPTi?(A) = S^f(A). 

Proof, (i) Given / e F, notice that A = refine/(S, A) iff f(S) G 7(A). Hence, Refiners/ (A) = iff 
for any 5 G ^(A) Hf \ f(S) G 7(A), namely, iff /(7(A)) C 7(A) iff A is forward /-complete. Thus, 
Refiners^ (A) = iff A is forward F-complete. 

(ii) We denote by X; G uco(p(E)), /,; G F and Si G Refiners^ the sequences of, respectively, 
uco's, functions in F and refiners that are iteratively computed in some run of CPTf(A), where Xq = A. 
Observe that {X;} is a decreasing chain in uco(p(E))c, hence, since E is assumed to be finite, it turns out 
that {Xi] is finite. We denote by Xfi n the last uco in the sequence {X;}, i.e., CPTp(A) = Xfi n . Since 
RcfincrSi?(X/i n ) = 0, by point (i), X/j n is forward F-complete, and therefore, from Xfi n C A, we obtain 
thatX/; n Q^f(A). 

Let us show, by induction on i, that Xj □ S^f(A). 
(i = 0): Clearly, X = A □ J^ F (A). 

(i + 1): By inductive hypothesis and monotonicity of refine/^, it turns out that Xi + i = refine/, (Si, X,;) □ 
refine/, (Si,^f (A)). Moreover, by point (i), since S^f(A) is forward /-complete, we have that 

refine/, (§i,^ F (A)) = 3> F (A). 

Thus, we obtain the thesis Xfi n = 5^f(A). □ 
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Example 4.3. 


Let us illustrate CPT on the abstract domain A 


= {* 


5, 2, 1234} of Example |2~T1 


X a = 


A = {0,2,1234} 


So = 


{2} e Refiners postR (Xo) 


X x = 


M(X U {post R (So)}) 
A4(X O U{3}) = {0,2,3,1234} 


Si = 


{3} € Renners pos t R (Xi) 


x 2 = 


M(Xi U {post R (5i)}) 

M(Xx U {4}) = {0, 2, 3, 4, 1234} 


S 2 = 


{1234} e Rcfmcrs postj? (X 2 ) 


x, = 


.M(X 2 U {post R (S 2 )}) 

M(X 2 U {234}) = {0, 2, 3, 4, 234, 1234} 


S 3 = 


{234} e Renners poB t B (X 3 ) 


Xi = 


M(X 3 U {poBt a (S 3 )}) 

M(X 3 U {34}) = {0, 2, 3, 4, 34, 234, 1234} 


=>■ 


Rcfincrs pos t H (Xt) = 



Let us note that while in Example 12. II each step consists in computing the images of post fl for the sets 
belonging to the whole domain at the previous step and this gives rise to re-computations, here instead an 
image f(Si) is never computed twice because at each step we nondeterministically choose a refiner S and 
apply post fl to S. □ 

Abstract PT. Our goal is to design an abstract version of CPT p that works on a generic abstraction A of 
the lattice of abstract domains Abs(p(£)). As recalled in Section [3Tl partitions can be viewed as a "higher- 
order" abstraction of abstract domains through the Galois insertion (par, Abs(p(S))^, Part(S)^, pad). 
This is a dual GI since both ordering relations in Abs(p(£)) and Part(S) are reversed. This depends on 
the fact that we want to obtain a complete approximation of a forward complete shell, which, by ( 12. It . 
is a greatest fixpoint so that we need to approximate a greatest fixpoint computation "from above" in- 
stead of "from below" as it happens for a least fixpoint computation. We thus consider a Galois insertion 
(a, Abs(p(£))zi, A>, 7) of an abstract domain A> into the dual lattice of abstract domains Abs(p(£))zi. 
The ordering relation of the abstract domain A is denoted by > because this makes concrete and abstract 
ordering notations uniform. It is worth remarking that since we require a Galois insertion of A into the 
complete lattice Abs(p(E)), by standard results [6], A must necessarily be a complete lattice as well. For 
any / G F, the best correct approximation refine/ : p{T,) M) —> (A—> A) of refine/ on A is therefore 
defined as usual by: 

(i) renne^S, a) = a(refine/(5, 7(a))). 

Accordingly, abstract refiners and stability are defined as follows: 

(ii) Refiners/ (a) = {S e 7(0)"" | refine/ (5, a) < a}; Rcfincrs/(a) = U/ eF Renners/(a). 

(iii) An abstract object a G A is F -stable iff Refiners/ (a) = 0. 

We may now define the following abstract version of the above algorithm CPT F , called GPT/ (Gen- 
eralized PT), that is parameterized on the abstract domain A. 



input: abstract object a £ A; 




while (Refiners^ (a) / 0) do 




choose for some f € F, S G Refiners* 1 (a); 


a := refine^(S, a); 




endwhile; 
output: a; 




GPT# 



GPT^(a) computes a sequence of abstract objects {oi}i £ N which is a decreasing chain in A<, namely 
ttj+i < flj. Thus, in order to ensure termination of GPT/ it is enough to consider an abstract domain A 
such that (A, <) satisfies the descending chain condition (DCC), i.e., every descending chain is eventually 
stationary. Furthermore, let us remark that correctness for GPT/ means that for any input object a € A, 
GPTp(a) computes exactly the abstraction in A of the forward incomplete shell of the abstract domain 
7(a), that is 

gpt£(o) = 0(^.(7(0))). 
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Note that, bv l2.ll a(S fi F( , y(a))) = a(gfp(i r 7 ( a ))). It should be clear that correctness for GPT is somehow 
related to backward completeness in abstract interpretation. In fact, if the abstract domain A is backward 
complete for -F 7 ( a ) = XX. j (a) n F M (X) then it is also fixpoint complete (cf. Section I2.2.2K so that 
a(gfp(.F 7 ( ))) = gfp(i^ a A where FA^ is the best correct approximation of the operator -F 7 ( a ) on the 
abstract domain A. The intuition is that GPT^(a) is an algorithm for computing the greatest fixpoint 
gfpC^ta))- Indeed, the following result shows that GPT^ is correct when A is backward complete for 
F M , because this implies that A is backward complete for Fa, for any abstract domain A. Moreover, we 
also isolate the following condition ensuring correctness for GPT^: the forward ^-complete shell operator 
S^f maps domains in A into domains in A, namely the higher-order abstraction A is forward complete for 
the forward incomplete shell 5?f- 

Theorem 4.4. Let A< be DCC and assume that one of the following conditions holds: 

(i) A is backward complete for F M . 

(ii) A is forward complete for S^p- 

Then, GPT^ always terminates and for any a G A GPT^(a) = a (,5^(7 (a))). 
Proof. Let us first show the following two facts. For any a G A: 

(A) RefmersF(7(a)) = Refiners^ (a). 

(B) 7(a) is forward F -complete iff Refiners^ (a) = 0. 

(A) Let / e F. Note that refine/ (S, 7(a)) = 7(a) n M({f(S)}) and therefore refine^(S>) = 
a( 7 (a) □ M({f (§)})) = a( 7 (o)) A A <*(M({f (§)})) = a A A a(M({f(S)})). Consequently, S G 
Refiners/ (7(a)) iff S € j(a) M) and M({f(S)}) 2 7(a). Likewise, S G Refmers^(a) iff § G 7(a)"" 
and a(M.({f (S)})) ^ a. These are equivalent properties, because, by Galois insertion, we have that 
a(M({f(S)})) > a iff M({f(S)}) □ 7(a). 

(B) 7(a) is forward ^-complete iff RefinerSi?(7(a)) = iff Refiners^ (a) = 0, by point (A). 

Let us now prove the main result. We denote by <Zj G A, /, G F and Si G Refiners^ (ai) the se- 
quences of, respectively, abstract ojects, functions in F and refiners iteratively computed by some run 
of GPT^(a), where ao = a. Since {a^} is a decreasing chain in the abstract domain A< which is 
assumed to be DCC, it turns out that these sequences are finite. We denote by a,fi n the last element 
in the sequence of a^s, i.e., GPT^(a) = a,fi n . Moreover, we also consider the following sequence 
of abstract domains: X; = 7(0,) n F M ( i y(a,i)) = Mipfifli) U F{l{ a i)))- Let us notice that, since 
a>i+i < o-i, by monotonicity, we have that Xj+i C Xi. Moreover, since Refiners^ (a/,„) = 0, by 
point (B), 7(o/j n ) is forward F-complete, hence j(a fin ) C F M (-f(a fin )), so that X fin = -f(a fin ). We 
show that a(X fin ) = a(S^ F {l{a))), so that a fin = a(j(a fin )) = a(X fin ) = a(y F (j(a))) follows. 
By point (A), RcfinerSi?(7(a^„)) = Refiners^ (a/; n ) = 0, thus, by Lemma l4~2l (i). 7(a/m) is for- 
ward incomplete. Moreover, j(afi n ) C 7(00) = 7 ( a ) an d consequently ^(afin) C ^5^(7(0)). Hence, 
a(Xfi n ) = a(-f(a,fi n )) < 0(^^(7(0))). Let us now show, by induction on i, that a{Xj) > 0(^^(7(0))). 

(i = 0): X = 7(00) n F M {j{a )) = 7(a) n F M (i(a)), hence, since J^ F ( 7 (a)) C 7(a), F M (-y(a)), we 
have that ,y F (j(a)) E X , and therefore 0(^(7(0))) < a(X ). 

(i + 1): Since a l+1 = a(M{j{ ai ) U {/i(S;)})), where $ G 7(0,), we have that G ^(7(0,)). 

Hence, A^( 7 (a 4 )jJ {/<(£)}) C ^(7(0,) U ^(7^))) = 7<>i) n F M { 1 {a t )) = X, namely X t C 
jM(7(oi) U {/i(Si)}), so that a(X>) < a !;+l and 7(a(X 4 )) C 7(^+1). Moreover: 

a(X i+1 ) = 

a(j(a,i + i) n i 7 ^ (7(01+1))) = [since a is co-additive] 

a( 7 (o l+ i)) n a(F M ( 1 (a l+1 ))) > [since 7 (o i+ i) □ l(a(Xi))] 

a( 7 (a(X))) n a{F M { 1 {a{X l )))) > [by induction] 

a(7(a(^ F (7(o))))) n a(F M {j{a(y F h(a)))))) = [since a o 7 o a = a] 
a(^( 7 (o))) n a( 7 (a(^( 7 (a(^.(7(a)))))))). 
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Now, both conditions (i) and (ii) imply that 

a( 7 (a(F-( 7 (a(^ F ( 7 (a)))))))) = a( 7 (a(^(^( 7 (a)))))). 

Thus, we may proceed as follows: 

a{y F { 1 {a)))na{ 1 {a{F M {p A {y F { 1 {a))))))) = [by either condition (i) or (ii)] 
a(^p( 7 (a))) n a("f(a(F M (y F (~/(a)))))) = [since a o 7 o a = a] 

a(,y F (~f(a))) n a{F M {,9' F { 1 {a)))) = [as S" F (y(a)) is forward F-complete] 

fl(^(7(a)))na(^(7("))) = 
a(^ F ( 7 (a))). 

Thus, this closes the proof. □ 

Corollary 4.5. Under the hypotheses ofTheorem \4.4\ for any a £ A GPT F (a) is the F -stable shell of a. 

Proof. By Theoreml4~4l GPT^(a) < a and is F-stable. Let us show that GPT^(a) indeed is the F-stable 
shell of a. Let b £ A such that b < a and Refiners^ (b) = 0. Since b < a, we have that 7 (6) C 7 (a). 
Moreover, by point (A) in the proof of Theorem 14.41 Refmers F ( 7 (6)) = Refmers F (6) = 0, so that 
7(6) is forward F-complete by Lemma l4~2~l (i). Hence, 7(6) C ,5^(7(0)) and thus, by Theorem 14.41 

6 = a(7(6))<a(^ F ( 7 (a))) = GPT^(a). □ 



Example 4.6. Let us consider again Example s. Il and l43l Recall from Section EJl that the disjunctive shell 
S^dis '■ Abs(p(E)) — > dAbs(p(E)) maps any abstract domain A to its disjunctive completion S^dis{A) = 
{US I S C 7(A)}. It turns out that the disjunctive shell y d i S allows to view dAbs(p(E))g as an abstraction 
of Abs(p(E))g, namely (J^disj Abs(p(S))g , dAbs(p(E))^ , id) is a GI. This is a consequence of the fact 
that disjunctive abstract domains are closed under lub's in Abs(p(E)) and therefore dAbs(p(E))g is a 
Moore-family of Abs(p(E)) g . 

It turns out that condition (i) of Theorem 14.41 is satisfied for this GI. In fact, by exploiting the fact that 
post^ : p(E) — > p(E) is additive, it is not hard to verify that ^dis post^ 1 o S^dis = ^dis post^ 1 . 
Thus, let us apply GPTp^ s to the disjunctive abstract domain X a = {0, 2, 1234} = ^ d is({2, 1234}) £ 
dAbs(p(E)). 

X = {0,2,1234} So = {2} G Refiners^ (X ) 

Xx = y dis (M(X U {post fl (S )})) 
= J^ dis ({0,2,3,1234}) 

= {0,2,3,23,1234} & = {3} e Refiner 4™t R (Xi) 

X 2 = ^dUMiXx U {post fi (5i)})) 
= ^({0,2,3,23,4,1234}) 

= {0,2, 3, 4, 23, 24, 34, 234, 1234} => Refiners^ (X 2 ) = 

From Example03]we know that y postR (X Q ) = {0, 2, 3, 4, 34, 234, 1234}. Thus, as expected from The- 
orem|!3] GPTJ^pCo) coincides with ^dis(^ P o S t R (A )) = {0,2,3,4, 23,24,34, 234, 1234}. Note 
that the abstract fixpoint has been reached in two iterations, whereas in Example |43] the concrete compu- 
tation by CPTp OStj? , needed four iterations. □ 



4.3 An Optimization of GPT 

As pointed out by Paige and Tarjan ll22~l . the PT algorithm works even if splitters are chosen among 
blocks instead of unions of blocks, i.e., if PTrcfmcrs(P) is replaced with the subset of "block refiners" 
PTblockrefiners(P) = PTrefiners(P) n P. This can be easily generalized as follows. Given g £ F, 
for any a £ A, let subRefiners^(a) C Refiners^ (a) be any subset of refiners. We denote by IGPT^ 
(which stands for Improved GPT) the version of GPT^ where Refiners^ 1 is replaced with subRefinerSg . 
If stability for subrefiners is equivalent to stability for refiners then IGPT results to be correct. 
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Corollary 4.7. Let g e F be such that, for any a £ A, subRefmers^(a) = Refiners^ (a) = 0. 
Then, for any a e A, GPT^(a) = IGPT$(a). 

Proof. Let subRefiners^(a) = subRefmers^(a) U (Ufb f^ g Refiners^ 1 (a)). By hypothesis, we have that 
subRefmcrs^(a) ^ iff Refiners^ (a) ^ 0. Let {a.;} be the finite decreasing chain of abstract objects 
computed by IGPT^ (a). Since subRefiners£(IGPT£(a)) = we have that Refiners^ (IGPT^ (a)) = 
0. Moreover, since, for any i, subRcfiners^(ai) C Refi ners^ (aj), there exists a run of GPT^(a) which 
exactly computes the sequence {a.;}, so that, by Theorem l4.4l IGPT^fq) = GPT^(a). □ 

4.4 Instantiating GPT with Partitions 

Let us now show how the above GPT algorithm can be instantiated to the lattice of partitions. Assume 
that the state space £ is finite. Recall from Section [3] that the lattice of partitions can be viewed as an 
approximation of the lattice of abstract domains through the GI (par, Abs(p(£))zi, Part (E)^, pad). The 
following properties (1) and (2) are consequences of the fact that a partitioning abstract domain pad(P) is 
closed under complements, i.e. X S pad(P) iff C(Jf ) £ pad(P). 

(1) Refiners^" (P) = 0- 

(2) For any / and S G p(£)* (/ \ refine^' *0,P) = P X {f(S),C(f(S))}. 

Thus, by Point (1), for any F C Fun(p(£)), a partition P G Part(S) is F-stable iff Pis (FU {C})-stable, 
that is complements can be left out. Hence, if F'° denotes F \ {C} then GPT£ art may be simplified as 
follows. 



input: partition P G Part (E); 




while (Refiners^* (P) / 0) do 




choose for some / G F' c , S G Refiners? art (P); 


P:=PA{/(S),C(/(£))}; 




endwhile 




output: P; 


G p T Part 



Note that the number of iterations of GPT^ 1 ' is bounded by the height of the lattice Part(E), namely by 
the number of states |E|. Thus, if each refinement step involving some f £ F takes 0(cost(/)) time then 
the time complexity of GPT^ art is bounded by 0(|E| max({cost(/) | / G F})). 

Let us now consider a language C and a semantic structure (£, I) for C. If C is closed under logical 
conjunction and negation then, for any A G Abs(p(£)), ,5^op c {A) is closed under complements and 
therefore it is a partitioning abstract domain. Thus, condition (ii) of Theorem l4.4l is satisfied since ^Opr 
maps partitioning abstract domains into partitioning abstract domains. The following characterization is 
thus obtained as a consequence of (13.2b . 

Corollary 4.8. If C is closed under conjunction and negation then GPTq^* (P( ) = Pc- 

This provides an algorithm parameterized on a language C that includes propositional logic for com- 
puting the coarsest strongly preserving partition Pc- 

PT as an Instance of GPT. It is now immediate to obtain PT as an instance of GPT. We know that 
GPT^ a r r * c} = GPT^ a c rt . Moreover, by Lemma0T](i)-(ii): 

P X {prc(S), C(prc(5))} = PTsplit(S', P) and RcfincrSp r art (P) = PTrefmers(P). 

Hence, by Lemma |4~T1 (in), it turns out that P G Part(S) is PT stable iff RefinerSp r art (P) = 0. Thus, 
the instance GPTpfp 1 ' provides exactly the PT algorithm. Also, correctness follows from Corollaries 14.51 
and !4.8l GPTp 1 a c lt (P) is both the coarsest PT stable refinement of P and the coarsest strongly preserving 
partition P HML - 
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5 Applications 



5.1 Stuttering Equivalence and Groote-Vaandrager Algorithm 

Lamport's criticism |2 1 ] of the next-time operator X in CTL/CTL* is well known. This motivated the study 
of temporal logics like CTL-X/CTL*-X obtained from CTL/CTL* by removing the next-time operator 
and led to study a notion of behavioural stutte ring-based equivalence l2l [8l \i~5l . We are interested here in 
divergence blind stuttering (dbs for short) equivalence. Let K, = (£, t) be a Kripke structure over a set 
AP of atoms. A relation R C £ x £ is a divergence blind stuttering relation on JC if for any s, s' G £ such 
that sPs': 

(1) = 

(2) If s^t then there exist io: tk £ S, with k > 0, such that: (i) <o = s '; (ii) f° r a ll i € [0, A; — 1], 
ti^ti + i and si?<^; (iii) tPfe 

(3) s'Ps, i.e. P is symmetric. 

Observe that condition (2) allows the case k = and this simply boils down to requiring that tRs'. It turns 
out that the empty relation is a dbs relation and dbs relations are closed under union. Hence, the largest 
dbs relation exists and is an equivalence relation called dbs equivalence, whose corresponding partition is 
denoted by Pdbs £ Part(E). 

We showed in [24 j that Pdbs can be characterized as the coarsest strongly preserving partition Pc for 
the following language C: 

tp::= p | ipx A (p 2 | -"f | EU(ip 1 ,tp2) 
where the semantics EU : p(S) 2 — ► p(S) of the existential until operator EU is as usual: 

£11(51, S 2 ) = S 2 U {s G 5i | 3s , s n G S, with n > 0, such that (i) s = s, 

(ii) Vi G [0,n).Sj G Si, s,— >s i+ i, (iii) s„ G ^j. 

Therefore, as a straight instance of Corollary l4~8l it turns out that GPTeu*^) = Pc = Pdbs- 
Groote and Vaandrager lfl5l designed a partition refinement algorithm, here denoted by GV, for com- 
puting the partition Pdbs- This algorithm uses the following definitions of split and refiner^] For any 

P G Part(S) and Bi,B 2 G P, 

GVspUt((B l! S 2 ),P) = FA{EU(B 1 ,5 2 ),C(EU(5 1 ,B 2 ))} 
GVrefmers(P) = {(Bi, B 2 ) G P X P | GVspUt((Pi, P 2 ), P) -< P}. 

The algorithm GV is as follows. Groote and Vaandrager show how GV can be efficiently implemented 
in 0(H |£|)-time. 



input: partition P g Part(E); 




while GVrefiners(P) / 0do 




choose (B 1 ,B 2 ) £ GVrefiners(P); 


P:= GVspUt«Bi,B 2 ),P); 




endwhile 




output: P- 


GV 



It turns out that GV exactly coincides with the optimized instance IGPTgu' mat considers block 
refiners. This is obtained as a straight consequence of the following facts. 

Lemma 5.1. 

(1) GVrefiners(P) = iff Refiners^* (P) = 0. 

(2) GVsplit«Pu,B 2 ),P) =refme^ t ((Pi,P 2 ),P). 

5 In (TU, pos(Bi,B 2 ) denotes EU(Bi,B 2 ) fl Si. 
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Proof. (1) It is sufficient to show that if for any Bi,B 2 G P, EU(Pi,P 2 ) G pad(P), then for any 
Si, S 2 G pad(P), EU(5i, S 2 ) G pad(P). Thus, we have to prove that for any {Pj i6 /, {Bj} jeJ C P, 
EU(UjPs, LijBj) = Ufc-Bfc, for some {Bk}keK £ P. EU is an additive operator in its second argument, 
thus we only need to show that, for any B G P, 'E\J(U i B i , B) = UfcPfc, namely if s G EU(UiPj, B) and 
s G B', for some B' G P, then B' C EU(U s B t ,B). If s G £11(0,5;, P), for some P G P, then there 
exist n > and sq, s n G £ such that so = s, Vj G [0,n— l].Sj G U;Pi and Sj-^Sj+i, and s„ G P. Let 
us prove by induction on n that if s' G P' then s' G EU(UiPi, P). 

- n = 0: In this case s G U^P^ and s G P = P'. Hence, for some k, s G Pfc = P = P' and 
therefore s G EU(P, P) = P. Moreover, EU is monotone on its first argument and therefore 
B' = B = EU(P, P) C EU(UiPi, P). 

-Ti+l: Suppose that there exist so, s n +i G £ such that so = s, Vj G [0, n].Sj G U;Pi and 
Sj->Sj+i, and s„+i G P. Let s n G Pfc, for some Pfc G {Pi}i £ /. Then, s G EU(UiPi,Pfc) and 
s = So-*-Si->...->s n , Since this trace has length n, by inductive hypothesis, s' G EU(UiPi,Pfc). 
Hence, there exist ro, ■ ■■,r m G £, with m > 0, such that s' = ?*o, Vj G [0, m — lj.fj G U;Pi and 
r 3 — ^Tj+i, and r m G Pfc. Moreover, since s n ->s n +i, we have that s n G EU(Pfc, P). By hypothesis, 
EU(P fc , P) 3 P fe , and therefore r m G EU(P fc , P). Thus, there exist q , ...,qi G E, with Z > 0, 
such that ?',„ = 50, Vj G [0,1 — l].g 3 G P^ and qj-tqj+i, and G P. We have thus find the 
following trace: s' = ro^ri^...^r m = qo^qi^...^qi, where all the states in the sequence but the 
last one qi belong to UjPj, while qi G P. This means that s' G EU(UiPi, P). 

(2) By Point (2) in Section gU refinegg? ( (Pi, P 2 ), P) = P X {EU(P 1; B 2 ), C(EU(P X , P 2 ))} = 
GVsplit((P 1 ,P 2 ),P). □ 

Hence, by Corollary 14.71 we have that Lemma l5TI (l) allows us to exploit the IGPT^u' algorithm in 
order to choose refiners for EU among the pairs of blocks of the current partition, so that by Lemma l5TI (2) 
we obtain that IGPT^u' exactly coincides with the GV algorithm. 

5.2 A New Simulation Equivalence Algorithm 

It is well known that simulation equivalence is an appropriate state equivalence to be used in abstract model 
checking because it strongly preserves ACTL* and provides a better state-space reduction than bisimulation 
equivalence. However, computing simulation equivalence is harder than bisimulation [20 1 . A number of 
algorithms for computing simulation equivalence exist, the most well known are by Henzinger, Henzinger 
and Kopke lfl8ll . Bloom and Paige JTi], Bustan and Grumberg Q, Tan and Cleaveland J26) and Gentilini, 
Piazza and Policriti [ 1 1 1. The algorithms by Henzinger, Henzinger and Kopke fl8) and Bloom and Paige 0] 
run in 0(|->||S|)-time and, as far as time-complexity is concerned, they are the best available algorithms. 
However, these algorithms have the drawback of a quadratic space complexity that is limited from below 
by 0(|S| 2 ). The algorithm by Gentilini, Piazza and Policriti [ lT| appears to be the best algorithm when 
both time and space complexities are taken into account. Let P s i m denote the partition corresponding to 
simulation equivalence so that |P s ; m | is the number of simulation equivalence classes. Then, Gentilini et 
al.'s algorithm runs in 0(|P S i m | 2 |-»|)-fime while the space complexity is in 0(|P S i m | 2 + |S| log(|P S i m |)). 
This algorithm greatly improves Bustan and Grumberg's |3j algorithm in space while retaining the same 
time complexity. Moreover, Gentilini et al. experimentally show that their algorithm also improves on Tan 
and Cleaveland's l26l algorithm both in time and space while the theoretical complexities cannot be easily 
compared. It is worth remarking that all these algorithms are quite sofisticated and may use complex data 
structures. We show how GPT can be instantiated in order to design a new simple and efficient simulation 
equivalence algorithm with competitive space and time complexities of, respectively, 0(|P s i m | 2 + and 

0(|P sim | 2 -(|P S im| 2 + H)). 

Consider a finite Kripke structure K, = (£, -+,£). A relation R C S x S is a simulation on K, if for any 
s, s' G S such that sRs': 

(1) t(s')Ct(s); 

(2) For any t G £ such that s^t, there exists t' G £ such that s'->t' and tRt' . 
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Simulation equivalence ~ s i m Q S x S is defined as follows: s ~ S i m s' iff there exist two simulation 
relations Pi and R 2 such that sRis' and s'R 2 s. P S i m G Part(S) denotes the partition corresponding to 

^sim* 

It is known (see e.g. [271 Section 8]) that simulation equivalence on JC can be characterized as the state 
equivalence induced by the following language C: 

<p ::=p | (fi A if2 | EXiys 

namely, P s ; m = Pc, where the interpretation of EX in JC is the standard predecessor operator. Let 
us consider the GI (J^dis, Abs(p(£))ri, dAbs(p(£))g, id) of disjunctive abstract domains into the lat- 
tice of abstract domains that we defined in Example 14.61 As observed in Example 14.61 it turns out that 
■S^Avs, ° pre M o Sf&ys = c5^di s pre^ 1 , namely the abstraction dAbs(p(£)) is backward complete for pre M . 
Thus, by applying Theorem l4.4l (i) we obtain 

GPTpf bs (P,) = ^ dis (j^ prc (pad(P,))). 

In turn, by applying the partitioning abstraction par we obtain 

par(GPT^ c bs (P,)) = par(^ dis (^ prc (pad(P,)))) = par(^ prc (pad(P,))) 

because paro^ dis = par. Also, by ( 13.21 ). we know that par(<^ prc (pad(p?))) = Pc = P s i m - We have 
therefore shown that 

par(GPT^ c bs (P,)) = P sim 
namely the following instance GPT p ^, bs allows to compute simulation equivalence. 



input: disjunctive abstract domain A := £*di$({[s]e } sE s) G dAbs(p(E)); 
while (Refmers^ bs (yl) / 0) do 

choose S G RefinerSp^ bs (A); 

A~refine^(S,A); 
endwhile 
output: A; 



( 1 rjrpdAbs 
^•i 1 pre 



GPT p ^, bt ' works by iteratively refining a disjunctive abstract domain A G dAbs(p(E)), which is 
first initialized to the disjunctive shell of the abstract domain determined by the labeling of atoms. Then, 
GPT p ^, bs iteratively finds a refiner S for A, namely a set S G 7(A) such that pre_,(S') does not belong 
to -f(A) and therefore may contribute to refine A, i.e. refine p ^ bs (S', A) = B(j(A) Uprc^(S')) C A. 
Simulation equivalence is then computed from the output disjunctive abstract domain A as P S j m = par (A). 

It turns out that refiners of a disjunctive abstract domain A can be chosen among images of blocks in 
par (A), namely in 

subRcfmcrsp^A) = Refiners^ 8 (A) n {y(a(B)) \ B G par(A)}. 

In fact, since both 70a and prc^ are additive functions, it turns out that for any S G 7(A), VS G 
7(A). pre_ > (S") G 7(A) iff VP G par(A). pre^(7(a(B))) G 7(A), so that subRefiners p ^ bs (A) = iff 
Refiners^ 8 (A) = 0, and therefore Corollary |4/7]can be applied. 



5.2.1 A Data Structure for Disjunctive Abstract Domains 

It turns out that a disjunctive abstract domain A< G dAbs(p(£)) can be represented through the partition 
par(A) G Part(E) induced by A and the following relation <a on par(A): 

VPi,P 2 G par(A), Pi < A B 2 iff 7M-B1)) C j(a(B 2 )). 

It is clear that this gives rise to a partial order relation because if Bi,B 2 G par(A) and 7(a(Pi)) = 
7(a(P 2 )) then we can pick up si G Pi and s 2 G B 2 so that 7(ct({si})) = 7(«(Pi)) = j(a(B 2 )) = 
7(a({s2})), namely s\ and s 2 are equivalent according to par(A) and therefore Pi = B 2 . The poset 
(par(A), <a) is denoted by poset (A). It turns out that a disjunctive abstract domain can always be rep- 
resented by this poset, namely the closure operator induced by A can be defined in terms of poset (A) as 
follows. 
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Figure 3: Disjunctive Abstract Domains as Posets. 



Lemma 5.2. Let A G dAbs(p(E)). For any SCS, ^ A (a A (S)) = U{B £ par(A) | 3C G par(A). C n 
5^0 & B <a C}. 

Proof. (C) Consider any a; € 7a (cm. (SO) = U s£ s7a(Q!a({s}))- Then, there exists some s 6 S such that 
x G 7a(c«a({s}))- We consider B x , B s G par(A) such that a; G B^ an d s G -B s . Then, B s P\ S ^ and 
B^ <a B s because 7a (a A (B x j) = -f A (a A ({x})) C 7 A (o<a({s})) = 7a(c>!a(B s )). 
(D) Let B,C e par(A) such that s G C n S 1 and B < A C. Then, B C lA (a A {B)) C 7A (aA(C*)) = 
7A(aA({s}))C 7 A(aA(5)). □ 



Example 5.3. Some examples of posets that represent disjunctive abstract domains are depicted in Fig- 
ure[3l 

1. The disjunctive abstract domain A x = {0, [45], [12345]} is such that par(Ai) = {[123], [45]}. 

2. The disjunctive domain A 2 = {0, [45], [123], [12345]} induces the same partition {[123], [45]}, 
while poset(j4.2) is discrete. 

3. The disjunctive abstract domain A3 = {0, [4], [5], [45], [12345]} induces the partition par(j4.3) = 
{[123], [4], [5]}. 

4. The disjunctive abstract domain A4 = {0, [45], [145], [245], [1245], [12345]} induces the partition 
par(A 4 ) = {[l],[2],[3],[45]}. □ 

A disjunctive abstract domain A G dAbs(p(S)) is thus represented by posct(^4). This means that our 
implementation of GPTp^, bs maintains and refines a partition par(A) and an order relation on par(A). Let 
us describe how this can be done. 



5.2.2 Implementation 

Any state s G E is represented by a record State that contains a pointer field block that points to the 
block of the current partition par(A) that includes s and a field pre that represents pre^({s}) as a list of 
pointers to the states in pre_ > ({s}). The whole state space E is represented as a doubly linked list states 
of State so that insertion/removal can be done in 0(1). The ordering in the list states matters and 
may change during computation. 

Any block B of the partition par(A) G Part(E) is represented by a record Block that contains the 
following fields: 

- first and last are pointers to State such that the block B consists of all the states in the interval 
[first, last] of the list states. When a state is either added to or removed from a block, the 
ordering in the list states changes accordingly and this can be done in 0(1). 

- less is a linked list of pointers to Block. At the end of any refinement step, the list less for 
some block B contains all the blocks C G par(A) which are less than or equal to B, i.e. such that 
O <U B. In particular, the list less is always nonempty because less always includes B itself. 
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/* P is the current partition, S is a list of pointers to State */ 

split (S) { 

for all state in S do { 

Block* B = state->block; 
if (B->intersection==NULL) then { 
B->intersection = new Block; 
P . append (B->intersection) ; 

B->intersection->intersection = B->intersection; 
B->intersection->less = copy (B->less) ; 
B->intersection->changedImage = false; 

} 

move (state, B, B->intersection) ; 

if (B = 0) then { /* case: B C S */ 

B->first = B->intersection->f irst; B->last = B->intersection->last; 
P . remove (B->intersection) ; 
delete B->intersection 
B->intersection = B; 

} 

} 

I 



/* P is the current partition after a call to split (S) */ 

orderUpdate ( ) { 
for all B in P do 

if (BHS = 0) then 

for all C in B >less 

if (C / parent(C)) then (B->less) . append (parent(c)ns ) ; 
else /* case: BPS ^ 0, i.e. B C s */ 
for all C in B >less { 
if (CCs) then continue; 
/* case: CDS = */ 
(B->less ) . remove (C ) ; 

if (parent(c)ns / 0) (B->less ). append (parent(C)ns ) ; 
B->changedImage = true; 




Figure 4: The procedures split (S) and orderUpdate () . 



- intersectionisa pointer to B 1 o c k which is set by the procedure s p 1 i t that splits the current 
partition w.r.t. a set. 

- changedlmage is a boolean flag which is set by the procedure orderUpdate. 

The blocks of the current partition par(A) are represented as a doubly linked list P of Block. 

Let us face the problem of refining a disjunctive abstract domain A to A' = ©(7 (A) U {S}) for some 
S C E. If P, P' G Part(E), P' < P and B G P' then let paxent P (B) G P (when clear from the context 
the subscript P is omitted) denote the unique block in P (possibly B itself) that includes B. The following 
key result provides the basis for designing an algorithm that updates poset(A) to poset(A'). 

Lemma 5.4. Let A G dAbs(p(E)), S C S and A' = ©(7(A) U {S}) e dAbs(p(S)). Let P = par(A) e 
Part(S) and P' = PTsplit(5,P) G Part(S). Then, poset(A') = (P',<a'), where for any B' , C g P': 

(i) ifB'nS = then C < A , B' O C C 7^4 (a a (parent (B'))); 

(ii) ifB' n S ^ then C < A > B' & C C 7^4 [a a (parent (B'))) n S. 
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Proof. Let fi = •ja ° a A and fj,' = ja' ° «A'- We first observe that if x G 5 then //({x}) = fi({x}) fl 5, 
while if x $ S then //({a;}) = /z({x}). We then show the following statement: for any x, y G S, 

c //(M) iff MM) c MM) (*) 

(=>) Since // C fj,, we have that /it o /_/ = /i so that fJ,({x}) = /x(/z'({x})) C = ^({y}). 

Moreover, if y G S then x G fi'({x}) C //({y}) C ^'(5) = 5. 

(<*=) If y G S then x G 5 so that //({x}) = /i({x}) flSC /i({y}) nS = If instead y <j£ S then 

/AM) c KM) c MM) = M(M)- 

It is then simple to show that P' = PTsplit(5, P) = par(A'). In fact, x =a> y iff (J>'({x}) = fJ-'({y}) 
and, by (*), this happens iff /i({x}) = fi({y}) and x G S y G 5, namely iff x and y belong to the 
same block of PTsplit(5, P). 

It is simple to derive from (*) the following statement: for any B' ', C" G P', 

M'(C') C //(P') iff m(C") C /t(P') & (P' n S ^ => C" n 5 ^ 0) (f) 

Let us now show points (i) and (ii). Let us observe that for any B' G P', since P' ^ P = par(vl), we have 
that fi(B') = ^(parent(P'))- 

(i) Assume that B' n S = 0. If C" < A ' P', i.e. /i'(C") C //(£')> then, by (J), /i(C") C fi(B') so that 
C" C (i(C) C /i(B') = /x(parent(P')). On the other hand, if C" C ^(parent(P')) = m(P') then 
ft(C) C /t(P') and P' n S* ^ ^ C" n 5 ^ so that, by (J), /i'(C") C //(P')> Le -< C" <A' P'- 

(ii) Assume that P'n 5 ^ 0. If C'< A >B', i.e. //(C) C //(£'), then, by (J), n(C) C /x(P') andCnS* ^ 
0, namely C" C 5. Also, C" C /t(C") C /x(P') = /i(paxent(P')) so that C" C (parent (P')) n S. On 
the other hand, if C C /t(parent(P')) n 5 = MP') n 5 then C" n 5 ^ 0. Also, from C" C /t(P') we 
obtain /x(C') C n(B'). Thus, by (J), we obtain //(C) C //(P')> i.e. C" < A ' P'- □ 

A refinement step refine^^S 1 , A) = A' is thus implemented through the following two main steps: 

(A) Update the partition par(A) to PTsplit(S, par (A)); 

(B) Update the order relation <a on par(A) to < A > on PTsplit(S, par(A)) using Lemma l5/fl 

The procedure split (S) in Figure @] splits the current partition P G Part(S) w.r.t. a splitter S C S. 
Initially, each block P G P has the field intersection set to NULL. At the end of split (S) , the 
partition P is updated to P' = PTsplit(5, P) where for any P G P: 

- If0CBnSCB then P is modified to P \ 5 by repeating the move statement in line 12 and the 
newly allocated block P n S in line 6 is appended in line 7 at the end of the current list of blocks; 

- IfPnS' = PorPnS' = then P is not modified. 

Moreover, the field intersection of any B' G P' = PTsplit(S, P) is set as follows: 

(1) If B' G P n P' and B' n 5 = then P'->intersection = NULL because split (5) does 
not modify the record P'. 

(2) If B' G PHP'andP' nS ^ (i.e., P' C 5) then P'->intersection = P' (line 17). 

(3) If P' G P' \ P and B' (1 S = (i.e., P' = parcnt(P') \ S) then P'->intersection = 
parent(P') n S (line 6). 

(4) If B' G P' \ P and P' n 5 ^ (i.e., P' = parcnt(P') n 5) then P'->intersection = P' 
(line 8). 

Note that for the "old" blocks in P, split (S) does not modify the corresponding list of pointers 
less, while the list less for a newly allocated block P n S is a copy of the list less of P (line 9). Also 
observe that blocks that are referenced by pointers in some less field may well be modified. 

The procedure orderUpdate () in Figure |4]is called after split (S) to update the less fields 
in order to represent the refined poset (P', <U'} defined in Lemma [5~4l By exploiting the above points 
(l)-(4), let us observe the following points about the procedure orderUpdate ( ) whose current partition 
represents P' = PTsplit(5, P). 
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/* the list Atoms represents the set {[p]jc C E | p £ AP} */ 
I* P is initialized to the single block partition */ 

Partition P = (E) ; E->less = {E}; 

for all S in Atoms do { 

split (S) ; orderUpdate ( ) ; 
split (Cs) ; orderUpdate () ; 

} 

for all B in P do { 

State* X = image (B); 
State* S = NULL; 

for all s in X do S . append (s->pre) ; 
split (S) ; 
orderUpdate () ; 
for all B in P do { 

B->interseotion = NULL; 

if (B->changedImage) { B->changedImage = false; P . moveAtTheEnd (B) ; } 

} 

I 



Figure 5: Implementation of GPT°f c bs . 

(5) For all blocks B' £ P', the test B' n S = in line 4 is translated as £?'->intersection / B'. 

(6) The test C ^ parent(C) in line 6 is translated as C->intersection ^ NULL and 
C->intersection ^ C. 

(7) The block parent(C) n S in lines 6 and 10 is C->intersection. 

(8) The test C C S'in line 9 is equivalent to CllS ^ and is thus translated as C-> inter sect ion = 
C. 

(9) Lines 4-6 implement the case (i) of Lemma l5~4l 
(10) Lines 7-14 implement the case (ii) of Lemma l5~4l 

Moreover, if for some blocks B, C £ P' we have that B C S and C belongs to the list £>->less and 
C C\ S = — namely, we are in the case of line 10 — then, by Lemma [5T4l -fA' {cx-a 1 (B)) C •ja(o'-a{B)), 
that is the image of B changed. For these blocks B, the flag £?->changedImage is set to true. 

Finally, let us notice that the sequence of disjunctive abstract domains computed by some run of 
GPTp^, bs is decreasing, namely if A and A' are, respectively, the current and next disjunctive abstract 
domains then A' C A. As a consequence, if an image ja((xa{B)), for some B £ par(A), is not a refiner 
for A and B remains a block in the next refined partition par(A') then ja' (B)) cannot be a refiner for 
A'. Thus, a correct strategy for finding refiners consists in scanning the list of blocks of the current partition 
P while in any refinement step from A to A', after calling spl it ( S ) , all the blocks B £ par(A') whose 
image changed are moved to the tail of P. This leads to the implementation of GPTp^, bs described in 
Figure [3] 

Theorem 5.5. The algorithm in Figure\5\computes simulation equivalence P s im on K, in space 0(|£| + 
|P sim | 2 ) and in time 0{\P sim \ 2 ■ (|P sim | 2 + H)). 

Proof. We have shown above that the algorithm in Figure[3]is a correct implementation of GPTp^, bs . Let 
us observe the following points. 

(1) For any block B £ P, by Lemma l5T2l image (B ) in line 1 1 can be computed in the worst case by 
scanning each edge of the order relation <a on P = par(A), namely in 0(|P| 2 ) time. Since any 
current partition is coarser than P S i m , it turns out that image (B) can be computed in 0(|P s i m | 2 ) 
time. 
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(2) The list of pointers S in lines 12-13 representing pre^ (ja(B)) can be computed in the worst case 
by traversing the whole transition relation, namely in 0(|-»|)-time. 

(3) For any SCS, split (S) in line 14 is computed in 0(15*1) time. 

(4) orderUpdate () in line 15 is computed in the worst case by scanning each edge of the order 
relation <U on P = -pax(A), namely in 0(|P| 2 ) time, and therefore in 0(|P S i m | 2 ) time. 

(5) The for loop in line 16 is computed in 0(|P|) time and therefore in 0(|P s i m |) time. 

Thus, an iteration of the for-loop takes 0(2|P S i m | 2 + |->| + 15*1 + |P S i m |) time, namely, because \S\ < |->|, 
0(|P sim | 2 + h|)time. 

In order to prove that the time complexity is 0(|P s i m | 2 • (|Psim| 2 + let us show that the number of 

iterations of the for-loop is in 0(|P s i m | 2 )- Let {Ai} ie [ l k ] G dAbs(p(S)) be the sequence of different 
disjunctive abstract domains computed in some run of the algorithm and let {/Uj}ie[i,k] uco (p(^0) t> e the 
corresponding sequence of disjunctive uco's. Thus, for any i G [1, k), fii+i C /i, and P s ; m = par(/Zfc). 
Hence, for any i G [1, k], P s i m d? par(/ij), so that for any P G P s im> fJ-i(B) = Uj^jBj for some set of 
blocks {Bj}j£j C P S j m . We know that for any i G [1, k) there exists some block B G par(/i;) whose 
image chages, namely jja+\{B) C Hi{B). Note that /i; + i(P) C m(B) holds for some P G par(/ij) if 
and only if /j,i + i(B) C Hi(B) holds for some P G P S i m - Clearly, for any block P G P S i m > this latter fact 
can happen at most |P s i m | times. Consequently, the overall number of blocks that in some iteration of the 
for-loop change image is bounded by Y^BeP l^siml = |Pim| 2 - Hence, the overall number of blocks that 
are scanned by the for-loop is bounded by | par(/ii ) | + P S i m | 2 and therefore the total number of iterations 
of the for-loop is in 0(|P S i m | 2 )- 

The input of the algorithm is the Kripke structure K,, that is the list states and for each state the list 
pre of its predecessors. In each iteration of the while loop we keep in memory all the fields of the record 
State, that need 0(|S|) space, the current partition, that needs 0(|P S i m |) space, and the order relation 
<A, that needs 0(|P s ; m | 2 ) space. Thus, the overall space complexity is 0(\T,\ + |P s i m | 2 ). □ 



5.3 A Language Expressing Reachability 

Let us consider the following language C which is able to express reachability together with propositional 
logic through the existential "finally" operator: 

tp ::= p \ (fi A <P2 \ -up \ EF<p 

Given a Kripke structure (£,->, £), the interpretation EF : p(S) — > p(S) of the reachability operator 
EF is as usual: EF(5) = ■ EU(E,5). Since C includes propositional logic, by Corollary 14.81 it turns 
out that the instance GPT^p' allows to compute the coarsest strongly preserving partition Pc, namely 

CPT^ (P f ) = p c 

It turns out that block refiners are enough, namely 

BlockRefiriers£ F rt (P) = {P G P | P X {EF(P), C(EF(P))} -< P}. 

In fact, note that BlockRefinersEp rt (P) = iff RefmersEF t (P) = 0, so that, by exploiting Corollary|4T7l 
we have that IGPT^ F rt (P>) = P c . The optimized algorithm IGPT^* is as follows. 



input: partition P € Part(E); 

while (BlockRefinersEF^P) ^ 0) do 

choose B G BlockRefiners^ rt (P); 

P :=P X {EF(B), C(EF(B))}; 
endwhile 
output: P; 



IGPT|^ rt 
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input: Transition System (E, ->), List (Blocks) P; 

(Pscc,->8cc) := scc(E, -»); 
scan P in P { 

List(BlocksOfBlocks) P scc := {C G P scc \ B n C 0}; 

List(States) S := 1J computeEF(P scc ); 

split(S,P); 

} 

output: P; 



IGPTg^ 



List(States) computeEF(List{States) 5) { 
List(States) result- 
scan s in S {result. append(s); mark(s); } 
scan s in result 

forall r G pre({s}) do 

if (r isNotMarked) then { 
result. append(r); mark(r-); 

} 

return result; 

} 



split(List(States> S, List(Blocks) P) { 
scan s in 5* { 

Block B := s. block; 

if (B. intersection = false) then { 

B. intersection := true; P. split := true; 
Block B n S := new Block; 
P.append(Bn5"); 

} 

moveFromTo(s, B, B fl S); 
if (P = 0) then { 

P. split := false; 

P := PnS; 

P.remove(P n 5); 

} 

} 

scan P in P 

if (P. split = true) then P.moveAtTheEnd(P); 



Figure 6: Implementation of IGPT^ rt . 



5.3.1 Implementation 

The key point in implementing IGPT^p * is the following property of "stability under refinement": for any 

P,Q e Part(S), 

if Q < PandP e PnQthenPA {EF(P),C(EF(P))} = P implies Q X {EF(P), C(EF(P))} = Q. 

As a consequence of this property, if some block B of the current partition P curr is not a EF-refiner for 
P curr and B remains a block of the next partition P n0 xt then B cannot be a EF-refiner for P ne xt- 
This suggests an implementation of IGPT^p* based on the following points: 

(1) The current partition P is represented as a doubly linked list of blocks (so that a block removal can 
be done in O(l)-time). 

(2) This list of blocks P is scanned from the beginning in order to find block refiners. 

(3) When a block B of the current partition P is split into two new blocks B\ and £>2 then B is removed 
from the list P and B\ and B-2 are appended at the end of P. 

These ideas lead to the implementation IGPTgp* described in Figure [6] As a preprocessing step we 
compute the DAG of the strongly connected components (s.c.c.'s) of the directed graph (S, -►), denoted 
by (Pscc, ^scc)- This is done by the depth-first Tarjan's algorithm ll25l in 0(|->|)-time. This preprocessing 
step is done because if x G EF(5), for some x G S and SCE, then the whole block B x in the partition 
P scc that contains x — i.e., the strongly connected component containing x — is contained in EF(5); 
moreover, let us also observe that EF({.i}) = EF(P X ). The algorithm then proceeds by scanning the list 
of blocks P and performing the following three steps: (1) for the current block B of the current partition 
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Mouei 


States 


Transitions 


Initial blocks 


Final blocks 


Blocks bisim.eq. 


Time 


cwi_l_2 


4339 


4774 


27 


27 


2959 


0.05s 


cwi_3_14 


18548 


29104 


3 


123 


123 


1.29s 


vasy_0_l 


1513 


2448 


3 


12 


152 


0.01s 


vasy_10_56 


67005 


112312 


13 


18 


67005 


0.89s 


vasy_l_4 


5647 


8928 


7 


51 


3372 


0.16s 


vasy_18_73 


91789 


146086 


18 


161 


70209 


8.98s 


vasy_25_25 


50433 


50432 


25217 


50433 


50433 


721.37s 


vasy_40_60 


100013 


120014 


4 


4 


100013 


0.69s 


vasy_5_9 


15162 


19352 


32 


2528 


13269 


5.41s 


vasy_8_24 


33290 


48822 


12 


6295 


30991 


49.08s 


vasy_8.38 


47345 


76848 


82 


13246 


47345 


10.59s 



Table 1 : Results of the experimental evaluation. 



P, we first compute the set B scc of s.c.c.'s that contain some state in B; (2) we then compute EF(P SCC ) in 
the DAG (P scc , ^scc) because EF(5) = (J EF(P SCC ); (3) finally, we split the current partition P w.r.t. the 
splitter EF(P). The computation of EF(P SCC ) is performed by the simple procedure computeEF(P scc ) 
in Figure|6]in 0(|-> scc |)-time while splitting P w.r.t. S is done by the procedure split(5, P) in Figure|6]in 

( 1 5 1 ) -time . It turns out that this implementation runs in O ( | E 1 1 -» | ) -time . 

Theorem 5.6. The implementation o/IGPTgp* in Figure\6\is correct and runs in 0(|E||->|)-f/me. 
Proof. Let us show the following points. 

(1) Each iteration of the scan loop takes 0(|^|) time. 

(2) The number of iterations of the scan loop is in 0(|E|). 

(1) Let B be the current block while scanning the current partition P. The set B scc = {C 6 P scc \ B n C ^ 
0} is determined in 0(|B|) time simply by scanning the states in B. The computation of EF(P SCC ) in 
the DAG of s.c.c.'s (P scc ,^scc) takes 0(|-> scc |) time, the union S = IJEF(P SCC ) takes 0(|5|)-time, 
while splitting P w.r.t. S takes 0(151) time. Thus, each iteration is done in 0(|P| + |^ scc | + 2ISI) = 
0(H + |E|) = O(H), since |E| < H 

(2) Let B be the current block of the current partition P curr . Then, the next partition P nGX t -< Pcurr is 
obtained by splitting through EF(P) a number k > of blocks of P curr so that |P ne xt| = |-Pcurr| + k, 
where we also consider the case that EF(_B) is not a splitter for P, namely the case k = 0. Recall 
that any partition P has a certain height h(P) = |S| — \P\ in the lattice Part(E) which is bounded by 
|E| — 1. Thus, after splitting k blocks we have that ?j(P nex t) = ^(-Fcurr) — k. The total number of blocks 
which are split by some run of the algorithm is therefore bounded by |E|. As a consequence, if {Pi}™ 
is the sequence of partitions computed by some run of the algorithm and {fc;}™^ 1 is the corresponding 
sequence of the number of splits for each p, where ki > 0, then X^o* ^» — 1^1- ^l so ' at eacn iteration 

1 the number of new blocks is 2ki, so that the total number of new blocks in some run of the algorithm 
i s Y1T=^ < 2|E|. Summing up, the total number of blocks that are scanned by the scan loop is 
| P | + IXo 1 < |P | + 2|E| < 3|E| and therefore the number of iterations is in 0(|E|). 

Since the computation of the DAG of s.c.c.'s that precedes the scan loop takes 0(|->|)-time, the overall 
time complexity of the algorithm is O ( | -> 1 1 E | ) . □ 

5.3.2 Experimental Evaluation 

A prototype of the above partition refinement algorithm IGPTgp' has been developed in C++, whose 
source code is available at http://www.math. unipd.it/^ranzato/GPT/IGPTPartEF.zip. We considered the 
well-known VLTS (Very Large Transition Systems) benchmark suite for our experiments ll28l . The VLTS 
suite consists of transition systems encoded in the BCG (Binary-Coded Graphs) format where labels are 
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attached to arcs. Since our algorithm needs as input a Kripke structure, namely a transition system where 
labels are attached to states, we exploited a procedure designed by Dovier et al. J9] that transforms an edge- 
labelled graph G into a node-labelled graph G' in a way such that bisimulation equivalences on G and G' 
coincide. This conversion acts as follows: any transition si — > S2 is replaced by two transitions si — > n 
and n — > S2, where n is a new node labelled with I. Hence, this transformation grows the size of the graph: 
the number of transitions is doubled and the number of nodes grows proportionally to the average of the 
branching factor of G. 

Our experimental evaluation of IGPT^p* was carried out on a Celeron 2.20 GHz laptop, with 512 
MB RAM, running Linux 2.6.15 and GNU g++ 4.0.1. The results are summarised in Table Q] where we 
list the name of the original transition system in the VLTS suite, the number of states and transitions of 
the transformed transition system, the number of blocks of the initial partition, the number of blocks of 
the final refined partition, the number of bisimulation classes and the execution time of in seconds. The 
experiments show that one can obtain significant state space reductions with a reasonable time cost. It can 
be therefore interesting to experimentally evaluate whether this reduction can be practically applied as a 
pre-processing step for checking reachability specifications. 

6 Related Work 

Dams [7 Chapter 5] presents a generic splitting algorithm that, for a given language C C ACTL, com- 
putes an abstract model A € Abs(p(S)) that strongly preserves C. This technique is inherently different 
from ours, in particular because it is guided by a splitting operation of an abstract state that depends on a 
given formula of ACTL. Additionally, Dams' methodology does not guarantee optimality of the resulting 
strongly preserving abstract model, as instead we do, because his algorithm may provide strongly pre- 
serving models which are too concrete. Dams Q Chapter 6] also presents a generic partition refinement 
algorithm that computes a given (behavioural) state equivalence and generalizes PT (i.e., bisimulation 
equivalence) and Groote and Vaandrager (i.e., stuttering equivalence) algorithms. This algorithm is param- 
eterized on a notion of splitter corresponding to some state equivalence, while our algorithm is directly 
parameterized on a given language: the example given in Q (a "flat" version of CTL-X) seems to indicate 
that finding the right definition of splitter for some language may be a hard task. Gentilini et al. ifTTI provide 
an algorithm that solves a so-called generalized coarsest partition problem, meaning that they generalized 
PT stability to partitions endowed with an acyclic relation (so-called partition pairs). They show that this 
technique can be instantiated to obtain a logarithmic algorithm for PT stability and an efficient algorithm 
for simulation equivalence. This approach is very different from ours since the partition refinement algo- 
rithm is not driven by strong preservation w.r.t. some language. Finally, it is also worth citing that Habib 
et al. JT§| show that the technique of iteratively refining a partition by splitting blocks w.r.t. some pivot 
set, as it is done in PT, may be generally applied for solving problems in various contexts, ranging from 
strings to graphs. In fact, they show that a generic skeleton of partition refinement algorithm, based on a 
partition splitting step w.r.t. a generic pivot, can be instantiated in a number of relevant cases where the 
context allows an appropriate choice for the set of pivots. 

7 Conclusion and Future Work 

In model checking, the well known Paige-Tarjan algorithm is used for minimally refining a given state 
partition in order to obtain a standard abstract model that strongly preserves the branching-time language 
CTL on some Kripke structure. We designed a generalized Paige-Tarjan algorithm, called GPT, that 
minimally refines generic abstract interpretation-based models in order to obtain strong preservation for a 
generic inductive language. Abstract interpretation has been the key tool for accomplishing this task. GPT 
may be systematically instantiated to classes of abstract models and inductive languages that satisfy some 
conditions. We showed that some existing partition refinement algorithms can be viewed as an instance of 
GPT and that GPT may yield new efficient algorithms for computing strongly preserving abstract models, 
like simulation equivalence. 

GPT is parameteric on a domain of abstract models which is an abstraction of the lattice of abstract 
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domains Abs(p(S)). GPT has been instantiated to the lattice Part(S) of partitions and to the lattice 
dAbs(p(E)) of disjunctive abstract domains. It is definitely interesting to investigate whether the GPT 
scheme can be applied to new domains of abstract models. In particular, models that are abstractions of 
Part(S) could be useful for computing approximations of strongly preserving partitions. As an example, 
if one is interested in reducing only a portion S C £ of the state space £ then we may consider the domain 
Part(5 f ) of partitions of S as an abstraction of Part(S) in order to get strong preservation only on the 
portion S. 
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